Hacking a temporary “W(1)” — pt. 9

gcc -L/opt/csw/lib w_hacked.c -lintl
export LD_LIBRARY_PATH="/opt/csw/lib"

In order to do this exploit properly, 2 UTMPX entries will need to be used. 1 is the “last” one in the table and it must be pre-destined before takeoff. In other words, must be setup before calling “W.” It is where the fake TREE structure will go. FAKE tree struct is 0x30, 48d bytes.

struct utmpx {
        char    ut_user[32];            /* user login name */
        char    ut_id[4];               /* inittab id */
        char    ut_line[32];            /* device name (console, lnxx) */

Wow!! What luck! 36 bytes, just enough to fit in the best data available to mankind before the line variable, which is a real POTA to get by the checks..NICE..

struct utmpx {
        char    ut_user[32];            /* user login name */
        char    ut_id[4];               /* inittab id */
        char    ut_line[32];            /* device name (console, lnxx) */
        pid_t   ut_pid;                 /* process id */
        short   ut_type;                /* type of entry */
#if !defined(_XPG4_2) || defined(__EXTENSIONS__)
        struct exit_status ut_exit;     /* process termination/exit status */
#else
        struct ut_exit_status ut_exit;  /* process termination/exit status */
#endif
        struct timeval ut_tv;           /* time entry was made */
        int     ut_session;             /* session ID, used for windowing */
#if !defined(_XPG4_2) || defined(__EXTENSIONS__)
        int     pad[5];                 /* reserved for future use */
#else
        int     __pad[5];               /* reserved for future use */
#endif
        short   ut_syslen;              /* significant length of ut_host */
                                        /*   including terminating null */
        char    ut_host[257];           /* remote host name */
};

Need to get proper size…

-bash-3.00$ cat sizeof_struct_tmpx.c
#include <utmpx.h>

main()
{

  printf ("sizeof struct utmpx = 0x%x", sizeof(struct utmpx));
}
-bash-3.00$ ./sizeof_struct_tmpx
sizeof struct utmpx = 0x174

The 2nd structure.. well all it really needs to hold is something in the first word ; )
0x174 + 8 .. The +8 is on account of the malloc behavior..
(0x17c ^ 0xFFFFFFFF) +1 = 0xFFFFFE84 <- that's the value for the 2nd UTMPX entry name field. Anything else there is junk. Welp, I leave off realizing oddly that the heap over-write point is like 17 utemp entries extra than anticipated... and.. the written value isn't doing what I expect.. so I need to go through in the debugger... for another day...

Posted in Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Skip to toolbar