Portable shell-exploit for buffer-overflow bugs



Hello str0ke,

I reviewed the exploits listed. Yes, all of them use the shell but they
exploit trivially shell-exploitable bugs (like race conditions, ld-preload,
etc) or include other "external" programs (like cc, perl, etc) or assume
Linux/bash as well as other more or less recent environments.

The nearest exploit to what I was looking for (buffer overflow exploit in
shell-scripting) is:
http://milw0rm.com/exploits/18

But it lacks compatibility. For instance, "echo" command is very variable,
depending on OS/Shell version. I've uploaded a proof of concept which I
wrote some time ago, showing my approach, to:
http://www.rs-labs.com/exploitsntools/rs_aix_host.sh
(~6 KB)

It may not be perfect but my goal was to make it work in a very old minimal
Unix environment (the exploit yields local root on AIX 4.1.4.0, abusing a
known and ancient bug: ~ 10 years old!) and at the same time compatible
with some recent systems like Linux/bash (logically, the vulnerability is
not present in such systems, I'm referring to the skel of the exploit).

Feedback would be appreciated.

PS: I'm cc'ing some lists where this post could suit. Moderators should decide.

Cheers,
-Roman


str0ke escribió:
How goes it Roman,

Which other "curious" exploits in shell do you know of?

Attached is a list of the known exploits that are in shell, some call
other languages some don't.

Be safe,
/str0ke


------------------------------------------------------------------------

date exploit title exploit author platform
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2003-04-23 Snort <=1.9.1 Remote Root Exploit (p7snort191.sh) http://milw0rm.com/exploits/18 truff linux
2003-05-02 OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh) http://milw0rm.com/exploits/26 Nicolas Couture linux
2003-07-22 Cisco IOS (using hping) Remote Denial of Service Exploit http://milw0rm.com/exploits/62 zerash hardware
2004-01-25 MS Windows XP/2003 Samba Share Resource Exhaustion Exploit http://milw0rm.com/exploits/148 Steve Ladjabi windows
2000-11-16 /sbin/restore exploit (rh6.2) http://milw0rm.com/exploits/182 n/a linux
2000-11-17 Slackware Linux /usr/bin/ppp-off Insecure /tmp Call Exploit http://milw0rm.com/exploits/185 sinfony linux
2000-11-19 dump 0.4b15 Local Root Exploit http://milw0rm.com/exploits/193 Mat linux
2000-11-19 HP-UX 11.00/10.20 crontab Overwrite Files Exploit http://milw0rm.com/exploits/195 dubhe hp-ux
2000-11-21 vixie-cron Local Root Exploit http://milw0rm.com/exploits/203 Michal Zalewski linux
2000-12-15 Pine (Local Message Grabber) Exploit http://milw0rm.com/exploits/231 Mat linux
2001-01-02 Redhat 6.1 / 6.2 TTY Flood Users Exploit http://milw0rm.com/exploits/236 teleh0r linux
2001-01-03 Solaris 2.6 / 7 / 8 Lock Users Out of mailx Exploit http://milw0rm.com/exploits/240 optyx solaris
2001-01-25 glibc-2.2 and openssh-2.3.0p1 exploits glibc >= 2.1.9x http://milw0rm.com/exploits/258 krochos linux
2001-05-07 IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/bin/lpstat Local Exploit http://milw0rm.com/exploits/265 LSD-PLaNET irix
2001-05-08 IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local Exploit http://milw0rm.com/exploits/270 LSD-PLaNET irix
2001-03-04 GLIBC 2.1.3 ld_preload Local Exploit http://milw0rm.com/exploits/290 shadow linux
1997-05-03 Solaris 2.5.1 lp and lpsched Symlink Vulnerabilities http://milw0rm.com/exploits/330 Chris Sheldon solaris
1997-05-19 Solaris 2.5.0/2.5.1 ps & chkey Data Buffer Exploit http://milw0rm.com/exploits/332 Joe Zbiciak solaris
2004-07-22 Xitami Web Server Denial of Service Exploit http://milw0rm.com/exploits/362 CoolICE windows
2004-09-07 CDRDAO Local Root Exploit http://milw0rm.com/exploits/434 Karol Wiêsek linux
2004-09-22 MS Windows JPEG Processing Buffer Overrun Exploit (MS04-028) http://milw0rm.com/exploits/474 perplexy windows
2004-09-23 MS Windows JPEG GDI+ Overflow Administrator Exploit (MS04-028) http://milw0rm.com/exploits/475 Elia Florio windows
2004-09-28 Serendipity 0.7-beta1 SQL Injection Proof of Concept http://milw0rm.com/exploits/561 aCiDBiTS php
2004-10-16 BSD bmon <= 1.2.1_2 Local Exploit http://milw0rm.com/exploits/579 Idan Nahoum bsd
2004-12-21 AIX 5.1 to 5.3 lsmcode Local Root Command Execution http://milw0rm.com/exploits/701 cees-bart aix
2005-01-30 Linux ncpfs Local Exploit http://milw0rm.com/exploits/779 super linux
2005-02-07 Exim <= 4.42 Local Root Exploit http://milw0rm.com/exploits/796 Dark Eagle linux
2005-03-25 AIX <= 5.3.0 (invscout) Local Command Execution Vulnerability http://milw0rm.com/exploits/898 ri0t aix
2005-04-07 PHP-Nuke 6.x - 7.6 Top module Remote Sql Injection Exploit http://milw0rm.com/exploits/921 Fabrizi Andrea php
2005-05-17 Linux Mandrake <= 10.2 cdrdao Local Root Exploit http://milw0rm.com/exploits/997 newbug linux
2005-08-05 Lantronix Secure Console Server (edituser) Local Root Exploit http://milw0rm.com/exploits/1136 c0ntex linux
2005-09-24 Qpopper <= 4.0.8 (poppassd) Local Root Exploit (linux) http://milw0rm.com/exploits/1229 kcope linux
2005-09-24 Qpopper <= 4.0.8 (poppassd) Local Root Exploit (freebsd) http://milw0rm.com/exploits/1230 kcope bsd
2005-11-08 SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit http://milw0rm.com/exploits/1299 Hunger linux
2005-11-09 Operator Shell (osh) 1.7-14 Local Root Exploit http://milw0rm.com/exploits/1300 Charles Stevenson linux
2006-02-08 QNX Neutrino 6.2.1 (phfont) Race Condition Local Root Exploit http://milw0rm.com/exploits/1479 kokanin QNX
2006-02-08 QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit http://milw0rm.com/exploits/1481 kokanin QNX
2005-10-10 SGI IRIX <= 6.5.28 (runpriv) Design Error Vulnerability http://milw0rm.com/exploits/1577 n/a irix
2006-07-14 Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4) http://milw0rm.com/exploits/2011 Sunay linux
2006-07-15 Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit http://milw0rm.com/exploits/2016 Xavier de Leon linux
2006-07-21 MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) http://milw0rm.com/exploits/2052 redsand windows
2006-08-01 Mac OS X <= 10.4.7 fetchmail Privilege Escalation Exploit http://milw0rm.com/exploits/2108 Kevin Finisterre osX
2006-08-08 liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root Exploit http://milw0rm.com/exploits/2144 Karol Wiesek linux
2006-08-21 Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC http://milw0rm.com/exploits/2237 Jacobo Avariento multiple
2006-08-22 Solaris 8 / 9 (/usr/ucb/ps) Local Information Leak Exploit http://milw0rm.com/exploits/2242 Marco Ivaldi solaris
2006-09-27 OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit http://milw0rm.com/exploits/2444 Tavis Ormandy multiple




Relevant Pages

  • [Full-disclosure] Portable shell-exploit for buffer-overflow bugs
    ... exploit trivially shell-exploitable bugs (like race conditions, ld-preload, ... But it lacks compatibility. ... I'm cc'ing some lists where this post could suit. ... Attached is a list of the known exploits that are in shell, ...
    (Full-Disclosure)
  • Re: [kde] virtuoso-t constantly segfaulting
    ... understands both and /can/ do the conversion, ... is about how I feel about akonadified kmail at this point. ... There's three gtk2-based apps I currently depend on, pan for my lists (as ... shell prompt with the app stopped. ...
    (KDE)
  • metashell - User Friendly Shell
    ... I hope these are the correct lists to post to, ... I found this project, "metashell" on Freshmeat/Source Forge. ... command-line shell. ... Ubuntu repository, ...
    (Ubuntu)
  • Re: cd to last directory in the listing
    ... lists them in order with the latest date last. ... pass the directory name back to the shell to be used as the cd ... using the latest modified directory is also option if that's ... call it with cdl in the base directory. ...
    (comp.unix.shell)
  • RE: Table design
    ... competitors they are Shell,Mobil,etc.Each of these lists contains a lot of ... or as we call them counterproducts of the other companies. ... But also I have to find the counterproduct for Mobil in a similar way. ... have shwon it.In my case it is Shell. ...
    (microsoft.public.access.tablesdbdesign)