The artsd binary is not setuid, its supposed to be called by the setuid artswrapper application (which sets a higher scheduling priority, setuid(getuid())'s and executes the real artsd binary. I haven't bothered to look through the shellcode for backdoors yet... --- hdm@masada:/tools> head -n 20 bp_artsd.c && ls -la /opt/kde3/bin/artsd && cat /etc/SuSE-release /* bp_artsd.c * KDE 2/3 artsd 1.0.0 local root exploit * * credits: dvorak (helped me A LOT!@#), electronicsouls.org * * greets: * bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man, * philer, preamble, eth1cal * fucks to: fd0 (du schwule schlumpf) * * -kokane <kokane@segfault.ch> */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #define BSIZE 1033 #define ESIZE 5120 #define RET 0xbffff808 /* tested on suse linux 8.0 */ -rwxr-xr-x 1 root root 126696 May 14 19:30 /opt/kde3/bin/artsd SuSE Linux 8.0 (i386) VERSION = 8.0 On Monday 29 July 2002 12:55, kokane wrote: > KDE 2/3 artsd 1.0.0 local root exploit PoC. > > Cheers, > -kokane