Comment by not_your_vase

19 hours ago

Is there a readable version of the exploit readily available by any chance? Gotta admit that I failed binary-zip-interpretation-with-naked-eye class twice

4 comments

not_your_vase

progval 19 hours ago

The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).

tgies 12 hours ago

I have a C translation here that should be pretty readable https://github.com/tgies/copy-fail-c

stackghost 17 hours ago

The call to zlib basically overwrites a minimal ELF into a portion of the `su` binary, which exceve's /bin/sh.

Sophira 3 hours ago
To be specific, the zlib'd binary basically does this (except that it directly uses Linux syscalls to do so rather then C wrappers):
setuid(0); execve("/bin/sh", NULL, NULL); exit(0);