Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: top (procps-2.0.7-25) vulnerability

Re: top (procps-2.0.7-25) vulnerability

From: Ayaz Ahmed Khan <ayaz_at_pakcon.org>
Date: Mon, 9 May 2005 20:42:29 +0600 (PKST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WINNY THOMAS typed:

> While running top on a tool of mine to do a profiling test the top
> command ran into a segmentation fault. I could find two instance
> where the command could misbehave
>
> 1. if you have junk data inside a file .toprc in your home
> directory
> 2. if your environmental variable HOME is set to a string that’s
> greater than 1024.
>
> I managed to spawn a shell out of top command by exploiting the
> second issue. If you compile and run the exploit code which I am
> including in the mail body you will get a shell. Incase you don’t
> you could pass parameters to the program as follows to adjust the
> offset. The vulnerability detail is included in the code comment
>
> [winnythomas_at_r8 WinnyThomas]$ ./putshellcode 1001
> sh-2.05b$ exit
> exit
> [winnythomas_at_r8 WinnyThomas]$ ./putshellcode 120
> Illegal instruction
> [winnythomas_at_r8 WinnyThomas]$ ./putshellcode 1010
> sh-2.05b$ exit
> exit
>
> in most of the test I did on the vulnerable code I got shell on my
> system without passing any parameter to the program (that is the
> hardcoded offset of 1111 in my program worked well on my system)
>
> /* PoC */ --snipped--

Nice. With Libsafe guarding against attempts to write across stack
boundaries on my system, I get this:

   ayaz[1]:~/programming/exploits/misc> ./top-local-shell
   Libsafe version 2.0.16
   Detected an attempt to write across stack boundary.
   Terminating /usr/bin/top.
       uid=1001 euid=1001 pid=1189
   Call stack:
       0x400189c0 /lib/libsafe.so.2.0.16
       0x40018ab4 /lib/libsafe.so.2.0.16
       0x8049a76 /usr/bin/top
       0x8049cda /usr/bin/top
       0x4008ed01 /lib/libc-2.3.2.so
   Overflow caused by strcpy()
   Killed

It tells me that strcpy() is the culprit--as of usual.

- --
Ayaz Ahmed Khan http://fast-ce.org/ayaz/

   I was going through some code from 2002, frustrated at
        the lack of comments, cursing the moron who
   put this spaghetti together, only to realize later that
          I was the moron who had written it.

                   -- CowboyRobot wrote on /.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx
Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N
kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj
KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW
axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp
cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ==
=eAtw
-----END PGP SIGNATURE-----
Received on May 10 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos