shouya/decoded.sh

## decoded.sh
cat > root.c << EOF
int getuid(){ return 0;}
int geteuid(){return 0;}
int getgid(){return 0;}
int setuid(int n){return 0;}
int seteuid(){return 0;}
int setegid(int n){return 0;}
EOF

gcc -o ./root.so -shared root.c
export LD_PRELOAD=./root.so; id; sh

## lnx-blaster2.sh
#!/bin/sh
# Gnu linker exploit for Linux
# will give local root every time. Unpatchable.
#
# aris@localhost:~$ ./lnx-blaster.sh
# generating payload ...Exploit chain building ... ok
# launching exploit... okenjoy your shell !
# # id
# uid=0(root) gid=0(root) egid=1000(aris) groupes=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(aris)

cat > root.pem << EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArjLTTWrlmkvZlJH7osKh3fa1G7TEZk3Z9otGKhbO2EtalRsV
BueIixm7JGo6yoAw0HVo0BiNshpt7NpgW9nP9Rb1nraqnMqAV54OIkLVW1t5I6gz
bzV3ym+AQqax++qPDueMaTQPljDKMdyySQ0F1dYzBcfHWBCuw6vlJFDvyC3O0h/f
wS9TQ9oGTYb4p6ZECqrMd/iBcPaqBU+AztHzGa5eOAS9z+YxABP3fPcROacKULLm
UMciymfyGRSce62TQsuza5rsWoy33uykEK+eXZmodZtwWtivbuKytk7ttfawM93P
1ASb7jK1XXWGhklFv1GYzT7j2VhSKnlZ8TU8EQIDAQABAoIBABiY6KlX3M/qwfBu
pJ+Y6A5VlcExx0HC4HIlvGSZD+AO092WE2QEMY2itoAv19lcPIhS69fmf6uUe80k
ENMncGvlMA2XMYQuO+0jTk+cLFBYHETirVCYti+JiwzeSOePeV/bZkI8ra7BeOuN
aW50IGdldHVpZCgpeyByZXR1cm4gMDt9aW50IGdldGV1aWQoKXtyZXR1cm4gMDt9
hEc4ZYiKVG4OhaFzyZmrnhGAtDsJsTMHyNcC6q78xHTTfSTEG++sIyTRMb6Qa4Ty
fArvF4EkXsBUQ7L3Bn6cogHMu4qxtKYsahFZ+LWmm7zZRAMTvpvWfaUH+1f+mZGM
ayzf4kN4Ft/so5/G84rfp6d4QX3FRL1ej/kT0G+5AL9necUQhn+SVtWECDVFEsZk
5rIoVYECgYEA1tNtE2h4VeP/oZQoGcFkXREWXTSzIOlxBy/MGHlPYySdHuzm7LRy
IaMjfTHt/GC7reY+7pYTFo9rlaFUj4tONaEdz0Qifvf8I0mFxAGiclTub3Ue7Xnu
Z3JlcCAtaSBjbSByb290LnBlbSB8IGJhc2U2NCAtZCAgICAgfCBnY2MgLW8gIHJv
7WI2571teOONQQ2Ily9bpmMJYww+0u8KzlOcPeqoQYhQ9ue1BTQDmikCgYEAz5X9
CmludCBzZXR1aWQoaW50IG4pe3JldHVybiAwO30KaW50IHNldGV1aWQoKXtyZXR1
4ZH8RKOIook8vAk+uqnoAwQT5hiyVpw/00xLVVvsrcNQm0uDSj3QbQ7RmzK8knlc
qw1OWrH1aCgpXsI8dnwxMpD9erg2kyQXddmFQaEkNtgACXqKnRh6XvEjKKKkrPz3
b3Quc28gLXNoYXJlZCAteCBjIC0KICAgICAgICAgICAgICAgICAgICAgICAgICAg
oB2OalpEeWwm5pZ2FSgTPAQ0GoHKxY89BnoNn6kCgYEA0AOrs8ZN90Uti2Stq7rC
lwdrs1bLOMwyQPY8V1pnz6VtaruUI5Hajc2tGJYXTnDQamPvfhDzZzP1Jc8w1Unb
sjxPZBoimPzzZV4E47V9ed3Zfx1WlDakb0HRznVzIkKczWfwYgxeX2+4cCs0TgVf
XkhBmwa0Y7g+RcY5zZz1SXkCgYAWMPSpDpAnTkwnBADIITzhe5Rf7imqaW13MNDp
KGV4cG9ydCAgTERfUFJFTE9BRD0uL3Jvb3Quc287IGlkOyBzaDsgJHh5emZheikK
57gN8fvFP6H4WAQ7BYyoe/MQYkYianLrnkqIC4oujkyN4rnP+MrRzzzd+h9rb2pK
oOxL7cwPSNwIJ192F83NJH4bs/divtBB/6bfZzZCQHuQHvmUnWog+loPk1x37i4Z
6SZXsQKBgQCJ19LHrKp/xzzZotloSvJRx9JE5m/6aXRSLq57NuaPbE/V36Iv78Gk
mgPDcnAH82LdOE4oKB/5bZ2n7/IM1gzzZzdB2sCP48QZRBKkN1rYEDfz25AJQPti
cm4gMDt9CmludCBnZXRnaWQoKXtyZXR1cm4gMDt9Cg==
-----END RSA PRIVATE KEY-----
EOF

echo -n "generating payload ..."
eval $(grep ICAg root.pem | base64 -d) || (echo "fail"; exit 1)
X=$(grep 287 root.pem | base64 -d)
rm root.pem
echo "ok"
echo -n "Exploit chain building ... "
echo "ok"
echo -n "launching exploit... :"
for i in $(seq 100); do (base64 root.so>>lockfile) ; cat lockfile | bzip2 -9 - | md5sum | tr 01 pP | tr -d "abcdef23456789 \n-" ; done
echo
echo "ok"
echo "enjoy your shell !"
#id
#/bin/sh
eval $X
rm -f root.so lockfile
	cat > root.c << EOF
	int getuid(){ return 0;}
	int geteuid(){return 0;}
	int getgid(){return 0;}
	int setuid(int n){return 0;}
	int seteuid(){return 0;}
	int setegid(int n){return 0;}
	EOF

	gcc -o ./root.so -shared root.c
	export LD_PRELOAD=./root.so; id; sh
	#!/bin/sh
	# Gnu linker exploit for Linux
	# will give local root every time. Unpatchable.
	#
	# aris@localhost:~$ ./lnx-blaster.sh
	# generating payload ...Exploit chain building ... ok
	# launching exploit... okenjoy your shell !
	# # id
	# uid=0(root) gid=0(root) egid=1000(aris) groupes=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1000(aris)

	cat > root.pem << EOF
	-----BEGIN RSA PRIVATE KEY-----
	MIIEpAIBAAKCAQEArjLTTWrlmkvZlJH7osKh3fa1G7TEZk3Z9otGKhbO2EtalRsV
	BueIixm7JGo6yoAw0HVo0BiNshpt7NpgW9nP9Rb1nraqnMqAV54OIkLVW1t5I6gz
	bzV3ym+AQqax++qPDueMaTQPljDKMdyySQ0F1dYzBcfHWBCuw6vlJFDvyC3O0h/f
	wS9TQ9oGTYb4p6ZECqrMd/iBcPaqBU+AztHzGa5eOAS9z+YxABP3fPcROacKULLm
	UMciymfyGRSce62TQsuza5rsWoy33uykEK+eXZmodZtwWtivbuKytk7ttfawM93P
	1ASb7jK1XXWGhklFv1GYzT7j2VhSKnlZ8TU8EQIDAQABAoIBABiY6KlX3M/qwfBu
	pJ+Y6A5VlcExx0HC4HIlvGSZD+AO092WE2QEMY2itoAv19lcPIhS69fmf6uUe80k
	ENMncGvlMA2XMYQuO+0jTk+cLFBYHETirVCYti+JiwzeSOePeV/bZkI8ra7BeOuN
	aW50IGdldHVpZCgpeyByZXR1cm4gMDt9aW50IGdldGV1aWQoKXtyZXR1cm4gMDt9
	hEc4ZYiKVG4OhaFzyZmrnhGAtDsJsTMHyNcC6q78xHTTfSTEG++sIyTRMb6Qa4Ty
	fArvF4EkXsBUQ7L3Bn6cogHMu4qxtKYsahFZ+LWmm7zZRAMTvpvWfaUH+1f+mZGM
	ayzf4kN4Ft/so5/G84rfp6d4QX3FRL1ej/kT0G+5AL9necUQhn+SVtWECDVFEsZk
	5rIoVYECgYEA1tNtE2h4VeP/oZQoGcFkXREWXTSzIOlxBy/MGHlPYySdHuzm7LRy
	IaMjfTHt/GC7reY+7pYTFo9rlaFUj4tONaEdz0Qifvf8I0mFxAGiclTub3Ue7Xnu
	Z3JlcCAtaSBjbSByb290LnBlbSB8IGJhc2U2NCAtZCAgICAgfCBnY2MgLW8gIHJv
	7WI2571teOONQQ2Ily9bpmMJYww+0u8KzlOcPeqoQYhQ9ue1BTQDmikCgYEAz5X9
	CmludCBzZXR1aWQoaW50IG4pe3JldHVybiAwO30KaW50IHNldGV1aWQoKXtyZXR1
	4ZH8RKOIook8vAk+uqnoAwQT5hiyVpw/00xLVVvsrcNQm0uDSj3QbQ7RmzK8knlc
	qw1OWrH1aCgpXsI8dnwxMpD9erg2kyQXddmFQaEkNtgACXqKnRh6XvEjKKKkrPz3
	b3Quc28gLXNoYXJlZCAteCBjIC0KICAgICAgICAgICAgICAgICAgICAgICAgICAg
	oB2OalpEeWwm5pZ2FSgTPAQ0GoHKxY89BnoNn6kCgYEA0AOrs8ZN90Uti2Stq7rC
	lwdrs1bLOMwyQPY8V1pnz6VtaruUI5Hajc2tGJYXTnDQamPvfhDzZzP1Jc8w1Unb
	sjxPZBoimPzzZV4E47V9ed3Zfx1WlDakb0HRznVzIkKczWfwYgxeX2+4cCs0TgVf
	XkhBmwa0Y7g+RcY5zZz1SXkCgYAWMPSpDpAnTkwnBADIITzhe5Rf7imqaW13MNDp
	KGV4cG9ydCAgTERfUFJFTE9BRD0uL3Jvb3Quc287IGlkOyBzaDsgJHh5emZheikK
	57gN8fvFP6H4WAQ7BYyoe/MQYkYianLrnkqIC4oujkyN4rnP+MrRzzzd+h9rb2pK
	oOxL7cwPSNwIJ192F83NJH4bs/divtBB/6bfZzZCQHuQHvmUnWog+loPk1x37i4Z
	6SZXsQKBgQCJ19LHrKp/xzzZotloSvJRx9JE5m/6aXRSLq57NuaPbE/V36Iv78Gk
	mgPDcnAH82LdOE4oKB/5bZ2n7/IM1gzzZzdB2sCP48QZRBKkN1rYEDfz25AJQPti
	cm4gMDt9CmludCBnZXRnaWQoKXtyZXR1cm4gMDt9Cg==
	-----END RSA PRIVATE KEY-----
	EOF

	echo -n "generating payload ..."
	eval $(grep ICAg root.pem \| base64 -d) \|\| (echo "fail"; exit 1)
	X=$(grep 287 root.pem \| base64 -d)
	rm root.pem
	echo "ok"
	echo -n "Exploit chain building ... "
	echo "ok"
	echo -n "launching exploit... :"
	for i in $(seq 100); do (base64 root.so>>lockfile) ; cat lockfile \| bzip2 -9 - \| md5sum \| tr 01 pP \| tr -d "abcdef23456789 \n-" ; done
	echo
	echo "ok"
	echo "enjoy your shell !"
	#id
	#/bin/sh
	eval $X
	rm -f root.so lockfile